chore: respect mode restrictions for xhttp listener

2026-04-22 16:17:16 +08:00 · 2026-04-06 12:42:28 +08:00
parent 871e6d1454
commit 0cb51414ec
2 changed files with 163 additions and 1 deletions
@@ -145,6 +145,49 @@ func (h *requestHandler) getSession(sessionID string) *httpSession {
 	return h.sessions[sessionID]
 }

+func (h *requestHandler) normalizedMode() string {
+	if h.config.Mode == "" {
+		return "auto"
+	}
+	return h.config.Mode
+}
+
+func (h *requestHandler) allowStreamOne() bool {
+	switch h.normalizedMode() {
+	case "auto", "stream-one", "stream-up":
+		return true
+	default:
+		return false
+	}
+}
+
+func (h *requestHandler) allowSessionDownload() bool {
+	switch h.normalizedMode() {
+	case "auto", "stream-up", "packet-up":
+		return true
+	default:
+		return false
+	}
+}
+
+func (h *requestHandler) allowStreamUpUpload() bool {
+	switch h.normalizedMode() {
+	case "auto", "stream-up":
+		return true
+	default:
+		return false
+	}
+}
+
+func (h *requestHandler) allowPacketUpUpload() bool {
+	switch h.normalizedMode() {
+	case "auto", "packet-up":
+		return true
+	default:
+		return false
+	}
+}
+
 func (h *requestHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	path := h.config.NormalizedPath()
 	if h.httpHandler != nil && !strings.HasPrefix(r.URL.Path, path) {
@@ -167,6 +210,11 @@ func (h *requestHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {

 	// stream-one: POST /path
 	if r.Method == http.MethodPost && len(parts) == 0 {
+		if !h.allowStreamOne() {
+			http.NotFound(w, r)
+			return
+		}
+
 		w.Header().Set("X-Accel-Buffering", "no")
 		w.Header().Set("Cache-Control", "no-store")
 		w.WriteHeader(http.StatusOK)
@@ -192,8 +240,13 @@ func (h *requestHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	// packet-up download: GET /path/{session}
+	// stream-up/packet-up download: GET /path/{session}
 	if r.Method == http.MethodGet && len(parts) == 1 {
+		if !h.allowSessionDownload() {
+			http.NotFound(w, r)
+			return
+		}
+
 		sessionID := parts[0]
 		session := h.getOrCreateSession(sessionID)
 		session.markConnected()
@@ -236,6 +289,11 @@ func (h *requestHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {

 	// stream-up upload: POST /path/{session}
 	if r.Method == http.MethodPost && len(parts) == 1 {
+		if !h.allowStreamUpUpload() {
+			http.NotFound(w, r)
+			return
+		}
+
 		sessionID := parts[0]
 		session := h.getSession(sessionID)
 		if session == nil {
@@ -295,6 +353,11 @@ func (h *requestHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {

 	// packet-up upload: POST /path/{session}/{seq}
 	if r.Method == http.MethodPost && len(parts) == 2 {
+		if !h.allowPacketUpUpload() {
+			http.NotFound(w, r)
+			return
+		}
+
 		sessionID := parts[0]
 		seq, err := strconv.ParseUint(parts[1], 10, 64)
 		if err != nil {
@@ -0,0 +1,99 @@
+package xhttp
+
+import (
+	"io"
+	"net"
+	"testing"
+
+	"github.com/metacubex/http"
+	"github.com/metacubex/http/httptest"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestServerHandlerModeRestrictions(t *testing.T) {
+	testCases := []struct {
+		name       string
+		mode       string
+		method     string
+		target     string
+		wantStatus int
+	}{
+		{
+			name:       "StreamOneAcceptsStreamOne",
+			mode:       "stream-one",
+			method:     http.MethodPost,
+			target:     "https://example.com/xhttp/",
+			wantStatus: http.StatusOK,
+		},
+		{
+			name:       "StreamOneRejectsSessionDownload",
+			mode:       "stream-one",
+			method:     http.MethodGet,
+			target:     "https://example.com/xhttp/session",
+			wantStatus: http.StatusNotFound,
+		},
+		{
+			name:       "StreamUpAcceptsStreamOne",
+			mode:       "stream-up",
+			method:     http.MethodPost,
+			target:     "https://example.com/xhttp/",
+			wantStatus: http.StatusOK,
+		},
+		{
+			name:       "StreamUpAllowsDownloadEndpoint",
+			mode:       "stream-up",
+			method:     http.MethodGet,
+			target:     "https://example.com/xhttp/session",
+			wantStatus: http.StatusOK,
+		},
+		{
+			name:       "StreamUpRejectsPacketUpload",
+			mode:       "stream-up",
+			method:     http.MethodPost,
+			target:     "https://example.com/xhttp/session/0",
+			wantStatus: http.StatusNotFound,
+		},
+		{
+			name:       "PacketUpAllowsDownloadEndpoint",
+			mode:       "packet-up",
+			method:     http.MethodGet,
+			target:     "https://example.com/xhttp/session",
+			wantStatus: http.StatusOK,
+		},
+		{
+			name:       "PacketUpRejectsStreamOne",
+			mode:       "packet-up",
+			method:     http.MethodPost,
+			target:     "https://example.com/xhttp/",
+			wantStatus: http.StatusNotFound,
+		},
+		{
+			name:       "PacketUpRejectsStreamUpUpload",
+			mode:       "packet-up",
+			method:     http.MethodPost,
+			target:     "https://example.com/xhttp/session",
+			wantStatus: http.StatusNotFound,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			handler := NewServerHandler(ServerOption{
+				Config: Config{
+					Path: "/xhttp",
+					Mode: testCase.mode,
+				},
+				ConnHandler: func(conn net.Conn) {
+					_ = conn.Close()
+				},
+			})
+
+			req := httptest.NewRequest(testCase.method, testCase.target, io.NopCloser(http.NoBody))
+			recorder := httptest.NewRecorder()
+
+			handler.ServeHTTP(recorder, req)
+
+			assert.Equal(t, testCase.wantStatus, recorder.Result().StatusCode)
+		})
+	}
+}