Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement] Add server setting to disable SSRF req filters to allow internal addresses #2549

Closed
undaunt opened this issue Jan 24, 2024 · 11 comments
Closed

[Enhancement] Add server setting to disable SSRF req filters to allow internal addresses #2549

undaunt opened this issue Jan 24, 2024 · 11 comments
Labels
enhancement New feature or request

Comments

@undaunt
Copy link

undaunt commented Jan 24, 2024

Describe the issue

I generated a filtered RSS podcast feed from a self-hosted instance of rss-bridge in mrss format. The feed appears very similar to an identically regex filtered feed created on SiftRSS.

When I attempt to add the feed to audiobookshelf, I received a popup 'Failed to get podcast feed', and the browser console errors are:

POST https://abs.domain.com/api/podcasts/feed 404 (Not Found)
Axios error 404 Podcast RSS feed request failed or invalid response data
64dd6ee.js:1 Failed to get feed Error: Request failed with status code 404
    at t.exports (f95bec9.js:2:194980)
    at t.exports (f95bec9.js:2:242271)
    at XMLHttpRequest.E (f95bec9.js:2:193574)

The SiftRSS link of the same podcast regex works without issue - https://siftrss.com/f/G6k08l5zqgL

Both the SiftRSS and my rss-bridge feed work when I test them at https://rssviewer.app/. I temporarily exposed my rss-bridge with a public CNAME to test this, but generally it is only accessible from my private network as it redirects the FQDN to my Traefik host.

I am able to successfully pull the entire feed from shell with docker exec audiobookshelf curl "https://rss.domain.com/feedurl" but without quotes, I receive an error so I'm wondering if Audiobookshelf is having an issue escaping some of the characters in the full URL?

Partly sanitized URL:

https://rss.domain.com/?action=display&bridge=FilterBridge&url=https%3A%2F%2Ffeeds.megaphone.fm%2FQCD8414694967&filter=%5E%28Gatewalkers+Episode%7CGatewalkers+Session%29&filter_type=block&target_title=on&length_limit=-1&format=Mrss

Steps to reproduce the issue

  1. Attempt to add the URL as a new podcast.

Audiobookshelf version

v2.7.2

How are you running audiobookshelf?

Docker
@undaunt undaunt added the bug Something isn't working label Jan 24, 2024
@undaunt undaunt mentioned this issue Jan 24, 2024
Open
@undaunt
Copy link
Author

undaunt commented Jan 25, 2024

I have also opened an issue with rss-bridge in case it's due to how they transform the feed during filtering, though another user in #1781 was able to add a feed successfully already, so that may not be the issue at hand.

@advplyr
Copy link
Owner

advplyr commented Feb 18, 2024

Is this an issue with abs or rss-bridge? I've never used that so I'm not sure what to make of this.

@advplyr advplyr added the waiting Waiting for OP label Feb 18, 2024
@zentonic
Copy link

zentonic commented Feb 27, 2024
edited
Loading

i think it's an issue in podcastUtils.js

here is what happens in the audiobookshelf container:

audiobookshelf  | 2024-02-27T23:09:56.030029941Z [2024-02-27 23:09:56.029] ERROR: [podcastUtils] Invalid XML or RSS feed (podcastUtils.js:201)
audiobookshelf  | 2024-02-27T23:10:42.252620865Z [2024-02-27 23:10:42.252] DEBUG: [podcastUtils] getPodcastFeed for "https://rss-bridge.org/bridge01/?action=display&bridge=ARDAudiothekBridge&path=https%3A%2F%2Fwww.ardaudiothek.de%2Fsendung%2F100-aus-100-die-hoerspiel-collection%2F12800327%2F&limit=&format=Atom" (podcastUtils.js:229)
audiobookshelf  | 2024-02-27T23:10:43.170091802Z [2024-02-27 23:10:43.169] DEBUG: [podcastUtils] getPodcastFeed for "https://rss-bridge.org/bridge01/?action=display&bridge=ARDAudiothekBridge&path=https%3A%2F%2Fwww.ardaudiothek.de%2Fsendung%2F100-aus-100-die-hoerspiel-collection%2F12800327%2F&limit=&format=Atom" success - parsing xml (podcastUtils.js:254)
audiobookshelf  | 2024-02-27T23:10:43.206152232Z [2024-02-27 23:10:43.205] ERROR: [podcastUtils] Invalid XML or RSS feed (podcastUtils.js:201)
audiobookshelf  | 2024-02-27T23:21:16.826517083Z [2024-02-27 23:21:16.825] DEBUG: [podcastUtils] getPodcastFeed for "https://siftrss.com/f/By7vlK6Z3Q" (podcastUtils.js:229)
audiobookshelf  | 2024-02-27T23:21:17.856221879Z [2024-02-27 23:21:17.855] DEBUG: [podcastUtils] getPodcastFeed for "https://siftrss.com/f/By7vlK6Z3Q" success - parsing xml (podcastUtils.js:254)
audiobookshelf  | 2024-02-27T23:21:17.890041392Z [2024-02-27 23:21:17.889] ERROR: [podcastUtils] Invalid XML or RSS feed (podcastUtils.js:201)

But other Clients have no problems and w3c feed validator says, thats a correct feed: w3c validator

Update: Here is the correct Link. The first i wrote was wrong.
|||
VV
even on this siftrss Feed...

@advplyr
Copy link
Owner

advplyr commented Feb 27, 2024

I've not seen a podcast RSS feed that looks like the one you are using.

The RSS feeds Abs is expecting look like this: https://help.apple.com/itc/podcasts_connect/#/itcbaf351599

https://www.castfeedvalidator.com/validate.php?url=https://siftrss.com/f/By7vlK6Z3Q

Abs is expecting the <rss> tag as the opening tag not <feed>. I'm not sure if that is a requirement for podcast rss feeds, I've just not seen it done otherwise.

Are you able to add that RSS feed to other podcast apps? I doubt that would be recognized as a podcast

@undaunt
Copy link
Author

undaunt commented Feb 27, 2024

@zentonic Thanks for jumping in as I've been super busy recently.

@advplyr They acknowledge on rss-bridge's end that their feed handling isn't totally spot on in reproducing a feed that has been filtered like SiftRSS is, however I'm able to add an rss-bridge feed to other podcast applications without an error as well.

@advplyr
Copy link
Owner

advplyr commented Feb 28, 2024

What podcast app accepts that format of RSS feed so that I can test it out?

@zentonic
Copy link

zentonic commented Feb 28, 2024
edited
Loading

Are you able to add that RSS feed to other podcast apps? I doubt that would be recognized as a podcast

I am particularly interested in this feed:
https://www.ardaudiothek.de/sendung/100-aus-100-die-hoerspiel-collection/12800327/

Unfortunately, not all "podcasts" from German radio stations have real feeds.

That's why I'm glad that rss bridge is now building them. On the page you can select ATOM and then this feed appears.

This is w3c validatable and can also be used in AntennaPOD, for example.

1000006416
1000006417

But i would prefer to use audiobookshelf instead for listening this productions :-)

siftrss was for me a experiment to "enhance" oder "clean up" the rss bridge feed. since i wrote a static-page podcast publisher i know that the feed thing is ugly. and all clients and libraries and servers do other things.

but i don't know what happens here.

@undaunt
Copy link
Author

undaunt commented Feb 28, 2024

What podcast app accepts that format of RSS feed so that I can test it out?

Apple Podcasts loads the feed without issue on my iPhone.

@zentonic
Copy link

zentonic commented Mar 2, 2024

instead of

<?xml version="1.0" encoding="UTF-8"?>
<rss 
…

rss-bridges feed starts with

<?xml version="1.0"?>
<feed
…

after disabling in https://github.com/advplyr/audiobookshelf/blob/master/server/utils/podcastUtils.js ... around line 200 !json?.rss

there is a new error:

audiobookshelf  | 2024-03-02T11:29:04.925558727Z [2024-03-02 11:29:04.924] ERROR: [podcastUtils] getPodcastFeed Error Error: Call to 10.13.123.254 is blocked.

BUT:
For ARD Audiothek there is another Feed Generator: https://github.com/matztam/ARD-Audiothek-RSS/blob/main/ardaudiothek-rss.php

The Feeds from there are working fine (slow but fine and also only on external domains, not in LAN) without any changes in Audiobookshelf.

@advplyr
Copy link
Owner

advplyr commented Mar 2, 2024

That has to do with an SSRF filter blocking internal IPs. That was put in after a security advisory but a way to disable that is going to be put in soon. I'm not sure what that will be yet but probably an environment variable.

@advplyr advplyr changed the title [Bug]: Unable to add mrss feed generated from rss-bridge [Enhancement] Add server setting to disable SSRF req filters to allow internal addresses Apr 24, 2024
@advplyr advplyr added enhancement New feature or request and removed bug Something isn't working waiting Waiting for OP labels Apr 24, 2024
@advplyr advplyr mentioned this issue Apr 24, 2024
Closed
advplyr added a commit that referenced this issue Jun 3, 2024
@advplyr
Update:Support for ENV variables to disable SSRF request filter (DISA…
9c33446 
…BLE_SSRF_REQUEST_FILTER=1) #2549
@advplyr advplyr added the awaiting release Issue is resolved and will be in the next release label Jun 3, 2024
@advplyr
Copy link
Owner

advplyr commented Jul 9, 2024

Added in v2.11.0

Using environment variable DISABLE_SSRF_REQUEST_FILTER=1

@advplyr advplyr closed this as completed Jul 9, 2024
@advplyr advplyr removed the awaiting release Issue is resolved and will be in the next release label Jul 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zentonic @undaunt @advplyr