peertube-plugin-sponsorblock 0.2.1 → 0.3.0

package/client/video-watch.js

@@ -210,7 +210,11 @@ function register({ registerHook, peertubeHelpers }) {
     const currentDiv = document.createElement('div')
     currentDiv.className = 'sponsorblock-widget-current'
     if (currentMapping) {
-      currentDiv.innerHTML = `${currentLabel} <code>${currentMapping.youtube_id}</code>`
+      currentDiv.textContent = ''
+      currentDiv.appendChild(document.createTextNode(currentLabel + ' '))
+      const code = document.createElement('code')
+      code.textContent = currentMapping.youtube_id
+      currentDiv.appendChild(code)
     }
     content.appendChild(currentDiv)
 
@@ -299,7 +303,11 @@ function register({ registerHook, peertubeHelpers }) {
         }
 
         // Update current mapping display
-        currentDiv.innerHTML = `${currentLabel} <code>${data.youtubeId}</code>`
+        currentDiv.textContent = ''
+        currentDiv.appendChild(document.createTextNode(currentLabel + ' '))
+        const codeEl = document.createElement('code')
+        codeEl.textContent = data.youtubeId
+        currentDiv.appendChild(codeEl)
         input.value = ''
 
       } catch (e) {

package/main.js

@@ -5,6 +5,73 @@
 
 const { registerRoutes } = require('./server/routes')
 const { getVideoDuration, processVideoFile, findVideoFiles } = require('./server/ffmpeg')
+const { URL } = require('url')
+
+/**
+ * Validate that an API URL is safe (not targeting internal/private networks)
+ * Rejects private IPs, loopback, link-local, and non-HTTPS schemes
+ */
+function validateApiUrl(urlString) {
+  let parsed
+  try {
+    parsed = new URL(urlString)
+  } catch {
+    throw new Error(`Invalid API URL: ${urlString}`)
+  }
+
+  if (parsed.protocol !== 'https:') {
+    throw new Error(`API URL must use HTTPS, got: ${parsed.protocol}`)
+  }
+
+  const hostname = parsed.hostname
+
+  // Reject IPv6 private/loopback
+  if (hostname.startsWith('[')) {
+    const ipv6 = hostname.slice(1, -1).toLowerCase()
+    if (ipv6 === '::1' || ipv6.startsWith('fc') || ipv6.startsWith('fd') || ipv6.startsWith('fe80')) {
+      throw new Error(`API URL must not target private/internal addresses: ${hostname}`)
+    }
+  }
+
+  // Reject IPv4 private/loopback/link-local ranges
+  const ipv4Match = hostname.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/)
+  if (ipv4Match) {
+    const [, a, b] = ipv4Match.map(Number)
+    if (
+      a === 127 ||                          // 127.0.0.0/8 loopback
+      a === 10 ||                           // 10.0.0.0/8 private
+      (a === 172 && b >= 16 && b <= 31) ||  // 172.16.0.0/12 private
+      (a === 192 && b === 168) ||           // 192.168.0.0/16 private
+      (a === 169 && b === 254) ||           // 169.254.0.0/16 link-local
+      a === 0                               // 0.0.0.0/8
+    ) {
+      throw new Error(`API URL must not target private/internal addresses: ${hostname}`)
+    }
+  }
+
+  // Reject localhost by name
+  if (hostname === 'localhost' || hostname.endsWith('.local')) {
+    throw new Error(`API URL must not target local addresses: ${hostname}`)
+  }
+
+  return parsed.toString()
+}
+
+/**
+ * Validate a segment from the SponsorBlock API response
+ */
+function validateSegment(segment) {
+  if (!segment || typeof segment !== 'object') return false
+  if (typeof segment.UUID !== 'string' || segment.UUID.length === 0 || segment.UUID.length > 128) return false
+  if (!Array.isArray(segment.segment) || segment.segment.length !== 2) return false
+  const [start, end] = segment.segment
+  if (typeof start !== 'number' || typeof end !== 'number') return false
+  if (start < 0 || end < 0 || start >= end) return false
+  if (!isFinite(start) || !isFinite(end)) return false
+  if (typeof segment.category !== 'string' || segment.category.length === 0 || segment.category.length > 50) return false
+  if (segment.votes !== undefined && typeof segment.votes !== 'number') return false
+  return true
+}
 
 let workerIntervalId = null
 let syncIntervalId = null
@@ -102,7 +169,7 @@ function registerSettings(registerSetting) {
     label: 'SponsorBlock API URL',
     type: 'input',
     default: 'https://sponsor.ajay.app',
-    private: false
+    private: true
   })
 
   registerSetting({
@@ -230,9 +297,9 @@ function registerImportHooks(registerHook, peertubeHelpers, settingsManager) {
     target: 'filter:api.video.post-import-url.accept.result',
     handler: async (result, params) => {
       try {
-        const { videoImport } = params
+        const { videoImport, video } = params
 
-        if (!videoImport || !videoImport.video) {
+        if (!videoImport || !video) {
           return result
         }
 
@@ -244,12 +311,12 @@ function registerImportHooks(registerHook, peertubeHelpers, settingsManager) {
           return result
         }
 
-        logger.info(`Video imported from YouTube: ${youtubeId} -> ${videoImport.video.uuid}`)
+        logger.info(`Video imported from YouTube: ${youtubeId} -> ${video.uuid}`)
 
         // Save mapping
         await saveYouTubeMapping(
           peertubeHelpers,
-          videoImport.video.uuid,
+          video.uuid,
           youtubeId
         )
 
@@ -265,7 +332,7 @@ function registerImportHooks(registerHook, peertubeHelpers, settingsManager) {
         if (mode === 'remove') {
           await queueVideoProcessing(
             peertubeHelpers,
-            videoImport.video.uuid,
+            video.uuid,
             youtubeId
           )
         }
@@ -322,6 +389,7 @@ async function fetchAndCacheSegments(peertubeHelpers, settingsManager, youtubeId
 
   try {
     const apiUrl = await settingsManager.getSetting('api_url') || 'https://sponsor.ajay.app'
+    validateApiUrl(apiUrl)
     const url = `${apiUrl}/api/skipSegments?videoID=${youtubeId}`
 
     logger.debug(`Fetching SponsorBlock segments for ${youtubeId}`)
@@ -338,30 +406,42 @@ async function fetchAndCacheSegments(peertubeHelpers, settingsManager, youtubeId
 
     const segments = await response.json()
 
-    // Delete old segments
-    await database.query(`
-      DELETE FROM plugin_sponsorblock_segments WHERE youtube_id = $1
-    `, { bind: [youtubeId] })
-
-    // Insert new segments
-    for (const segment of segments) {
+    // Delete old and insert new segments in a transaction
+    await database.query('BEGIN')
+    try {
       await database.query(`
-        INSERT INTO plugin_sponsorblock_segments
-        (youtube_id, segment_uuid, start_time, end_time, category, action_type, votes)
-        VALUES ($1, $2, $3, $4, $5, $6, $7)
-        ON CONFLICT (segment_uuid) DO NOTHING
-      `, { bind: [
-        youtubeId,
-        segment.UUID,
-        segment.segment[0],
-        segment.segment[1],
-        segment.category,
-        segment.actionType || 'skip',
-        segment.votes || 0
-      ] })
-    }
+        DELETE FROM plugin_sponsorblock_segments WHERE youtube_id = $1
+      `, { bind: [youtubeId] })
+
+      let cached = 0
+      for (const segment of segments) {
+        if (!validateSegment(segment)) {
+          logger.warn(`Skipping invalid segment from API: ${JSON.stringify(segment).slice(0, 200)}`)
+          continue
+        }
+        await database.query(`
+          INSERT INTO plugin_sponsorblock_segments
+          (youtube_id, segment_uuid, start_time, end_time, category, action_type, votes)
+          VALUES ($1, $2, $3, $4, $5, $6, $7)
+          ON CONFLICT (segment_uuid) DO NOTHING
+        `, { bind: [
+          youtubeId,
+          segment.UUID,
+          segment.segment[0],
+          segment.segment[1],
+          segment.category,
+          segment.actionType || 'skip',
+          segment.votes || 0
+        ] })
+        cached++
+      }
 
-    logger.info(`Cached ${segments.length} segments for ${youtubeId}`)
+      await database.query('COMMIT')
+      logger.info(`Cached ${cached} segments for ${youtubeId}`)
+    } catch (txError) {
+      await database.query('ROLLBACK')
+      throw txError
+    }
 
   } catch (error) {
     logger.error(`Failed to fetch segments for ${youtubeId}`, error)
@@ -524,6 +604,7 @@ function startSyncTimer(peertubeHelpers, settingsManager) {
       )
 
       const apiUrl = await settingsManager.getSetting('api_url') || 'https://sponsor.ajay.app'
+      validateApiUrl(apiUrl)
 
       for (const mapping of (mappings || [])) {
         try {
@@ -532,26 +613,38 @@ function startSyncTimer(peertubeHelpers, settingsManager) {
           if (response.ok) {
             const apiSegments = await response.json()
 
-            await database.query(
-              'DELETE FROM plugin_sponsorblock_segments WHERE youtube_id = $1',
-              { bind: [mapping.youtube_id] }
-            )
-
-            for (const segment of apiSegments) {
-              await database.query(`
-                INSERT INTO plugin_sponsorblock_segments
-                (youtube_id, segment_uuid, start_time, end_time, category, action_type, votes)
-                VALUES ($1, $2, $3, $4, $5, $6, $7)
-                ON CONFLICT (segment_uuid) DO NOTHING
-              `, { bind: [
-                mapping.youtube_id,
-                segment.UUID,
-                segment.segment[0],
-                segment.segment[1],
-                segment.category,
-                segment.actionType || 'skip',
-                segment.votes || 0
-              ] })
+            await database.query('BEGIN')
+            try {
+              await database.query(
+                'DELETE FROM plugin_sponsorblock_segments WHERE youtube_id = $1',
+                { bind: [mapping.youtube_id] }
+              )
+
+              for (const segment of apiSegments) {
+                if (!validateSegment(segment)) {
+                  logger.warn(`Periodic sync: skipping invalid segment: ${JSON.stringify(segment).slice(0, 200)}`)
+                  continue
+                }
+                await database.query(`
+                  INSERT INTO plugin_sponsorblock_segments
+                  (youtube_id, segment_uuid, start_time, end_time, category, action_type, votes)
+                  VALUES ($1, $2, $3, $4, $5, $6, $7)
+                  ON CONFLICT (segment_uuid) DO NOTHING
+                `, { bind: [
+                  mapping.youtube_id,
+                  segment.UUID,
+                  segment.segment[0],
+                  segment.segment[1],
+                  segment.category,
+                  segment.actionType || 'skip',
+                  segment.votes || 0
+                ] })
+              }
+
+              await database.query('COMMIT')
+            } catch (txError) {
+              await database.query('ROLLBACK')
+              throw txError
             }
           }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "peertube-plugin-sponsorblock",
-  "version": "0.2.1",
+  "version": "0.3.0",
   "description": "Automatically skip or remove sponsor segments in videos imported from YouTube using the SponsorBlock API",
   "license": "AGPL-3.0",
   "engine": {

package/server/ffmpeg.js

@@ -172,7 +172,12 @@ async function findVideoFiles(database, videoUuid, storagePath, logger) {
     )
 
     for (const row of (webVideoFiles || [])) {
-      const filePath = path.join(storagePath, 'web-videos', row.filename)
+      const baseDir = path.resolve(storagePath, 'web-videos')
+      const filePath = path.resolve(baseDir, row.filename)
+      if (!filePath.startsWith(baseDir + path.sep)) {
+        logger.warn(`Path traversal blocked for web-video: ${row.filename}`)
+        continue
+      }
       if (await fileExists(filePath)) {
         files.push({ type: 'web-video', path: filePath })
       }
@@ -191,7 +196,12 @@ async function findVideoFiles(database, videoUuid, storagePath, logger) {
       )
 
       for (const row of (hlsFiles || [])) {
-        const filePath = path.join(storagePath, 'streaming-playlists', 'hls', videoUuid, row.filename)
+        const baseDir = path.resolve(storagePath, 'streaming-playlists', 'hls', videoUuid)
+        const filePath = path.resolve(baseDir, row.filename)
+        if (!filePath.startsWith(baseDir + path.sep)) {
+          logger.warn(`Path traversal blocked for HLS file: ${row.filename}`)
+          continue
+        }
         if (await fileExists(filePath)) {
           files.push({ type: 'hls', path: filePath })
         }

package/server/routes.js

@@ -2,16 +2,74 @@
  * Server-side API routes
  */
 
+const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+
+function isValidUuid(value) {
+  return typeof value === 'string' && UUID_REGEX.test(value)
+}
+
+/**
+ * Simple in-memory token-bucket rate limiter
+ * @param {number} maxTokens - Maximum requests allowed in the window
+ * @param {number} windowMs - Time window in milliseconds
+ */
+function createRateLimiter(maxTokens, windowMs) {
+  const buckets = new Map()
+
+  // Periodically clean up expired entries to avoid memory leaks
+  setInterval(() => {
+    const now = Date.now()
+    for (const [key, bucket] of buckets) {
+      if (now - bucket.lastRefill > windowMs * 2) {
+        buckets.delete(key)
+      }
+    }
+  }, windowMs).unref()
+
+  return (req, res, next) => {
+    const ip = req.ip || req.connection.remoteAddress || 'unknown'
+    const now = Date.now()
+
+    let bucket = buckets.get(ip)
+    if (!bucket) {
+      bucket = { tokens: maxTokens, lastRefill: now }
+      buckets.set(ip, bucket)
+    }
+
+    // Refill tokens based on elapsed time
+    const elapsed = now - bucket.lastRefill
+    const refill = Math.floor((elapsed / windowMs) * maxTokens)
+    if (refill > 0) {
+      bucket.tokens = Math.min(maxTokens, bucket.tokens + refill)
+      bucket.lastRefill = now
+    }
+
+    if (bucket.tokens <= 0) {
+      return res.status(429).json({ error: 'Too many requests, please try again later' })
+    }
+
+    bucket.tokens--
+    next()
+  }
+}
+
 async function registerRoutes({ router, peertubeHelpers }) {
   const logger = peertubeHelpers.logger
 
+  // Rate limiter: 60 requests per minute per IP for public endpoints
+  const segmentsRateLimiter = createRateLimiter(60, 60 * 1000)
+
   /**
    * GET /segments/:videoUuid
    * Returns SponsorBlock segments for a given video
    */
-  router.get('/segments/:videoUuid', async (req, res) => {
+  router.get('/segments/:videoUuid', segmentsRateLimiter, async (req, res) => {
     const videoUuid = req.params.videoUuid
 
+    if (!isValidUuid(videoUuid)) {
+      return res.status(400).json({ error: 'Invalid video UUID format' })
+    }
+
     try {
       const database = peertubeHelpers.database
 
@@ -66,7 +124,17 @@ async function registerRoutes({ router, peertubeHelpers }) {
   router.get('/mapping/:videoUuid', async (req, res) => {
     const videoUuid = req.params.videoUuid
 
+    if (!isValidUuid(videoUuid)) {
+      return res.status(400).json({ error: 'Invalid video UUID format' })
+    }
+
     try {
+      // Auth check: admin/moderator only
+      const user = await peertubeHelpers.user.getAuthUser(res)
+      if (!user || (user.role !== 0 && user.role !== 1)) {
+        return res.status(403).json({ error: 'Admin or moderator access required' })
+      }
+
       const database = peertubeHelpers.database
 
       const [mappings] = await database.query(`
@@ -98,6 +166,10 @@ async function registerRoutes({ router, peertubeHelpers }) {
   router.post('/mapping/:videoUuid', async (req, res) => {
     const videoUuid = req.params.videoUuid
 
+    if (!isValidUuid(videoUuid)) {
+      return res.status(400).json({ error: 'Invalid video UUID format' })
+    }
+
     try {
       // Auth check: admin/moderator only
       const user = await peertubeHelpers.user.getAuthUser(res)
@@ -221,6 +293,10 @@ async function registerRoutes({ router, peertubeHelpers }) {
   router.post('/process/:videoUuid', async (req, res) => {
     const videoUuid = req.params.videoUuid
 
+    if (!isValidUuid(videoUuid)) {
+      return res.status(400).json({ error: 'Invalid video UUID format' })
+    }
+
     try {
       // Auth check: admin/moderator only
       const user = await peertubeHelpers.user.getAuthUser(res)
@@ -438,6 +514,10 @@ async function registerRoutes({ router, peertubeHelpers }) {
   router.delete('/mapping/:videoUuid', async (req, res) => {
     const videoUuid = req.params.videoUuid
 
+    if (!isValidUuid(videoUuid)) {
+      return res.status(400).json({ error: 'Invalid video UUID format' })
+    }
+
     try {
       const user = await peertubeHelpers.user.getAuthUser(res)
       if (!user || user.role !== 0) {
@@ -544,7 +624,17 @@ async function registerRoutes({ router, peertubeHelpers }) {
   router.post('/sync/:videoUuid', async (req, res) => {
     const videoUuid = req.params.videoUuid
 
+    if (!isValidUuid(videoUuid)) {
+      return res.status(400).json({ error: 'Invalid video UUID format' })
+    }
+
     try {
+      // Auth check: admin/moderator only
+      const user = await peertubeHelpers.user.getAuthUser(res)
+      if (!user || (user.role !== 0 && user.role !== 1)) {
+        return res.status(403).json({ error: 'Admin or moderator access required' })
+      }
+
       const database = peertubeHelpers.database
 
       // Get YouTube ID
@@ -573,29 +663,40 @@ async function registerRoutes({ router, peertubeHelpers }) {
 
       const segments = await response.json()
 
-      // Delete old segments
-      await database.query(`
-        DELETE FROM plugin_sponsorblock_segments WHERE youtube_id = $1
-      `, { bind: [youtubeId] })
-
-      // Insert new segments
+      // Delete old and insert new segments in a transaction
+      await database.query('BEGIN')
       let insertedCount = 0
-      for (const segment of segments) {
+      try {
         await database.query(`
-          INSERT INTO plugin_sponsorblock_segments
-          (youtube_id, segment_uuid, start_time, end_time, category, action_type, votes)
-          VALUES ($1, $2, $3, $4, $5, $6, $7)
-          ON CONFLICT (segment_uuid) DO NOTHING
-        `, { bind: [
-          youtubeId,
-          segment.UUID,
-          segment.segment[0],
-          segment.segment[1],
-          segment.category,
-          segment.actionType || 'skip',
-          segment.votes || 0
-        ] })
-        insertedCount++
+          DELETE FROM plugin_sponsorblock_segments WHERE youtube_id = $1
+        `, { bind: [youtubeId] })
+
+        for (const segment of segments) {
+          if (!validateSegment(segment)) {
+            logger.warn(`Skipping invalid segment from API: ${JSON.stringify(segment).slice(0, 200)}`)
+            continue
+          }
+          await database.query(`
+            INSERT INTO plugin_sponsorblock_segments
+            (youtube_id, segment_uuid, start_time, end_time, category, action_type, votes)
+            VALUES ($1, $2, $3, $4, $5, $6, $7)
+            ON CONFLICT (segment_uuid) DO NOTHING
+          `, { bind: [
+            youtubeId,
+            segment.UUID,
+            segment.segment[0],
+            segment.segment[1],
+            segment.category,
+            segment.actionType || 'skip',
+            segment.votes || 0
+          ] })
+          insertedCount++
+        }
+
+        await database.query('COMMIT')
+      } catch (txError) {
+        await database.query('ROLLBACK')
+        throw txError
       }
 
       // Update last_sync timestamp
@@ -653,6 +754,23 @@ function extractYoutubeId(input) {
   return null
 }
 
+/**
+ * Validate a segment from the SponsorBlock API response
+ * Returns true if the segment has valid shape, false otherwise
+ */
+function validateSegment(segment) {
+  if (!segment || typeof segment !== 'object') return false
+  if (typeof segment.UUID !== 'string' || segment.UUID.length === 0 || segment.UUID.length > 128) return false
+  if (!Array.isArray(segment.segment) || segment.segment.length !== 2) return false
+  const [start, end] = segment.segment
+  if (typeof start !== 'number' || typeof end !== 'number') return false
+  if (start < 0 || end < 0 || start >= end) return false
+  if (!isFinite(start) || !isFinite(end)) return false
+  if (typeof segment.category !== 'string' || segment.category.length === 0 || segment.category.length > 50) return false
+  if (segment.votes !== undefined && typeof segment.votes !== 'number') return false
+  return true
+}
+
 /**
  * Fetch segments from SponsorBlock API and cache them in database
  */
@@ -671,39 +789,49 @@ async function fetchAndCacheSegments(database, youtubeId, logger) {
 
   const apiSegments = await response.json()
 
-  // Delete old segments
-  await database.query(`
-    DELETE FROM plugin_sponsorblock_segments WHERE youtube_id = $1
-  `, { bind: [youtubeId] })
-
-  // Insert new segments
-  const segments = []
-  for (const segment of apiSegments) {
+  // Delete old and insert new segments in a transaction
+  await database.query('BEGIN')
+  try {
     await database.query(`
-      INSERT INTO plugin_sponsorblock_segments
-      (youtube_id, segment_uuid, start_time, end_time, category, action_type, votes)
-      VALUES ($1, $2, $3, $4, $5, $6, $7)
-      ON CONFLICT (segment_uuid) DO NOTHING
-    `, { bind: [
-      youtubeId,
-      segment.UUID,
-      segment.segment[0],
-      segment.segment[1],
-      segment.category,
-      segment.actionType || 'skip',
-      segment.votes || 0
-    ] })
-    segments.push({
-      segment_uuid: segment.UUID,
-      start_time: segment.segment[0],
-      end_time: segment.segment[1],
-      category: segment.category,
-      action_type: segment.actionType || 'skip',
-      votes: segment.votes || 0
-    })
-  }
+      DELETE FROM plugin_sponsorblock_segments WHERE youtube_id = $1
+    `, { bind: [youtubeId] })
+
+    const segments = []
+    for (const segment of apiSegments) {
+      if (!validateSegment(segment)) {
+        logger.warn(`Skipping invalid segment from API: ${JSON.stringify(segment).slice(0, 200)}`)
+        continue
+      }
+      await database.query(`
+        INSERT INTO plugin_sponsorblock_segments
+        (youtube_id, segment_uuid, start_time, end_time, category, action_type, votes)
+        VALUES ($1, $2, $3, $4, $5, $6, $7)
+        ON CONFLICT (segment_uuid) DO NOTHING
+      `, { bind: [
+        youtubeId,
+        segment.UUID,
+        segment.segment[0],
+        segment.segment[1],
+        segment.category,
+        segment.actionType || 'skip',
+        segment.votes || 0
+      ] })
+      segments.push({
+        segment_uuid: segment.UUID,
+        start_time: segment.segment[0],
+        end_time: segment.segment[1],
+        category: segment.category,
+        action_type: segment.actionType || 'skip',
+        votes: segment.votes || 0
+      })
+    }
 
-  return segments
+    await database.query('COMMIT')
+    return segments
+  } catch (txError) {
+    await database.query('ROLLBACK')
+    throw txError
+  }
 }
 
 module.exports = { registerRoutes }