rebroadcast: add rtsp path to prevent port guessing access

koush · Feb 25, 2023 · e169a6e · e169a6e
1 parent ef55c83
commit e169a6e
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 9 deletions.
diff --git a/plugins/prebuffer-mixin/src/file-rtsp-server.ts b/plugins/prebuffer-mixin/src/file-rtsp-server.ts
@@ -1,15 +1,15 @@
-import { RtspServer, Headers } from "@scrypted/common/src/rtsp-server";
-import net from 'net';
+import { Headers, RtspServer } from "@scrypted/common/src/rtsp-server";
 import fs from 'fs';
+import net from 'net';
 
 // non standard extension that dumps the rtp payload to a file.
 export class FileRtspServer extends RtspServer {
     writeStream: fs.WriteStream;
     segmentBytesWritten = 0;
     writeConsole: Console;
 
-    constructor(client: net.Socket, sdp?: string) {
-        super(client, sdp);
+    constructor(client: net.Socket, sdp?: string, checkRequest?: (method: string, url: string, headers: Headers, rawMessage: string[]) => Promise<boolean>) {
+        super(client, sdp, undefined, checkRequest);
 
         this.client.on('close', () => {
             if (this.writeStream)

diff --git a/plugins/prebuffer-mixin/src/main.ts b/plugins/prebuffer-mixin/src/main.ts
@@ -1115,9 +1115,14 @@ class PrebufferSession {
       }
 
       const client = await listenZeroSingleClient();
+      const rtspServerPath = '/' + crypto.randomBytes(8).toString('hex');
       socketPromise = client.clientPromise.then(async (socket) => {
         sdp = addTrackControls(sdp);
-        server = new FileRtspServer(socket, sdp);
+        server = new FileRtspServer(socket, sdp, async (method, url, headers, rawMessage) => {
+          server.checkRequest = undefined;
+          const u = new URL(url);
+          return u.pathname === rtspServerPath;
+        });
         server.writeConsole = this.console;
         if (session.parserSpecific) {
           const parserSpecific = session.parserSpecific as RtspSessionParserSpecific;
@@ -1142,7 +1147,7 @@ class PrebufferSession {
         interleavePassthrough = session.parserSpecific && serverPortMap.size === 0;
         return socket;
       })
-      url = client.url.replace('tcp://', 'rtsp://');
+      url = client.url.replace('tcp://', 'rtsp://') + rtspServerPath;
     }
     else {
       const client = await listenZeroSingleClient();
@@ -1252,15 +1257,15 @@ class PrebufferMixin extends SettingsMixinDeviceBase<VideoCamera> implements Vid
         const u = new URL(url);
 
         for (const session of this.sessions.values()) {
-          if (u.pathname.endsWith(session.rtspServerPath)) {
+          if (u.pathname === '/' + session.rtspServerPath) {
             server.console = session.console;
             prebufferSession = session;
             prebufferSession.ensurePrebufferSession();
             await prebufferSession.parserSessionPromise;
             server.sdp = await prebufferSession.sdp;
             return true;
           }
-          if (u.pathname.endsWith(session.rtspServerMutedPath)) {
+          if (u.pathname === '/' + session.rtspServerMutedPath) {
             server.console = session.console;
             prebufferSession = session;
             prebufferSession.ensurePrebufferSession();
@@ -1326,7 +1331,7 @@ class PrebufferMixin extends SettingsMixinDeviceBase<VideoCamera> implements Vid
   }
 
   async getVideoStream(options?: RequestMediaStreamOptions): Promise<MediaObject> {
-    if (options?.directMediaStream)
+    if (options?.route === 'direct')
       return this.mixinDevice.getVideoStream(options);
 
     await this.ensurePrebufferSessions();