starred/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-05-30 23:40:40 +02:00
Code Issues 1.0k Packages Projects Releases 10 Wiki Activity

[Enhancement] Add server setting to disable SSRF req filters to allow internal addresses #1687

New Issue
Closed
opened 2026-04-24 23:54:51 +02:00 by adam · 11 comments
adam commented 2026-04-24 23:54:51 +02:00
Owner
Copy Link
Copy Source

Originally created by @undaunt on GitHub (Jan 25, 2024).

Describe the issue

I generated a filtered RSS podcast feed from a self-hosted instance of rss-bridge in mrss format. The feed appears very similar to an identically regex filtered feed created on SiftRSS.

When I attempt to add the feed to audiobookshelf, I received a popup 'Failed to get podcast feed', and the browser console errors are:

POST https://abs.domain.com/api/podcasts/feed 404 (Not Found)
Axios error 404 Podcast RSS feed request failed or invalid response data
64dd6ee.js:1 Failed to get feed Error: Request failed with status code 404
    at t.exports (f95bec9.js:2:194980)
    at t.exports (f95bec9.js:2:242271)
    at XMLHttpRequest.E (f95bec9.js:2:193574)

The SiftRSS link of the same podcast regex works without issue - https://siftrss.com/f/G6k08l5zqgL

Both the SiftRSS and my rss-bridge feed work when I test them at https://rssviewer.app/. I temporarily exposed my rss-bridge with a public CNAME to test this, but generally it is only accessible from my private network as it redirects the FQDN to my Traefik host.

I am able to successfully pull the entire feed from shell with docker exec audiobookshelf curl "https://rss.domain.com/feedurl" but without quotes, I receive an error so I'm wondering if Audiobookshelf is having an issue escaping some of the characters in the full URL?

Partly sanitized URL:

https://rss.domain.com/?action=display&bridge=FilterBridge&url=https%3A%2F%2Ffeeds.megaphone.fm%2FQCD8414694967&filter=%5E%28Gatewalkers+Episode%7CGatewalkers+Session%29&filter_type=block&target_title=on&length_limit=-1&format=Mrss

Steps to reproduce the issue

  1. Attempt to add the URL as a new podcast.

Audiobookshelf version

v2.7.2

How are you running audiobookshelf?

Docker

Originally created by @undaunt on GitHub (Jan 25, 2024). ### Describe the issue I generated a filtered RSS podcast feed from a self-hosted instance of [rss-bridge](https://github.com/RSS-Bridge/rss-bridge) in mrss format. The feed appears very similar to an identically regex filtered feed created on [SiftRSS](https://siftrss.com). When I attempt to add the feed to audiobookshelf, I received a popup 'Failed to get podcast feed', and the browser console errors are: ``` POST https://abs.domain.com/api/podcasts/feed 404 (Not Found) Axios error 404 Podcast RSS feed request failed or invalid response data 64dd6ee.js:1 Failed to get feed Error: Request failed with status code 404 at t.exports (f95bec9.js:2:194980) at t.exports (f95bec9.js:2:242271) at XMLHttpRequest.E (f95bec9.js:2:193574) ``` The SiftRSS link of the same podcast regex works without issue - https://siftrss.com/f/G6k08l5zqgL Both the SiftRSS and my rss-bridge feed work when I test them at https://rssviewer.app/. I temporarily exposed my rss-bridge with a public CNAME to test this, but generally it is only accessible from my private network as it redirects the FQDN to my Traefik host. I am able to successfully pull the entire feed from shell with `docker exec audiobookshelf curl "https://rss.domain.com/feedurl"` but without quotes, I receive an error so I'm wondering if Audiobookshelf is having an issue escaping some of the characters in the full URL? Partly sanitized URL: `https://rss.domain.com/?action=display&bridge=FilterBridge&url=https%3A%2F%2Ffeeds.megaphone.fm%2FQCD8414694967&filter=%5E%28Gatewalkers+Episode%7CGatewalkers+Session%29&filter_type=block&target_title=on&length_limit=-1&format=Mrss` ### Steps to reproduce the issue 1. Attempt to add the URL as a new podcast. ### Audiobookshelf version v2.7.2 ### How are you running audiobookshelf? Docker
adam added the enhancement label 2026-04-24 23:54:51 +02:00
adam closed this issue 2026-04-24 23:54:52 +02:00
adam commented 2026-04-24 23:54:52 +02:00
Author
Owner
Copy Link
Copy Source

@undaunt commented on GitHub (Jan 25, 2024):

I have also opened an issue with rss-bridge in case it's due to how they transform the feed during filtering, though another user in #1781 was able to add a feed successfully already, so that may not be the issue at hand.

@undaunt commented on GitHub (Jan 25, 2024): I have also opened an [issue](https://github.com/RSS-Bridge/rss-bridge/issues/3923) with rss-bridge in case it's due to how they transform the feed during filtering, though another user in #1781 was able to add a feed successfully already, so that may not be the issue at hand.
adam commented 2026-04-24 23:54:53 +02:00
Author
Owner
Copy Link
Copy Source

@advplyr commented on GitHub (Feb 18, 2024):

Is this an issue with abs or rss-bridge? I've never used that so I'm not sure what to make of this.

@advplyr commented on GitHub (Feb 18, 2024): Is this an issue with abs or rss-bridge? I've never used that so I'm not sure what to make of this.
adam commented 2026-04-24 23:54:55 +02:00
Author
Owner
Copy Link
Copy Source

@zentonic commented on GitHub (Feb 28, 2024):

i think it's an issue in podcastUtils.js

here is what happens in the audiobookshelf container:

audiobookshelf  | 2024-02-27T23:09:56.030029941Z [2024-02-27 23:09:56.029] ERROR: [podcastUtils] Invalid XML or RSS feed (podcastUtils.js:201)
audiobookshelf  | 2024-02-27T23:10:42.252620865Z [2024-02-27 23:10:42.252] DEBUG: [podcastUtils] getPodcastFeed for "https://rss-bridge.org/bridge01/?action=display&bridge=ARDAudiothekBridge&path=https%3A%2F%2Fwww.ardaudiothek.de%2Fsendung%2F100-aus-100-die-hoerspiel-collection%2F12800327%2F&limit=&format=Atom" (podcastUtils.js:229)
audiobookshelf  | 2024-02-27T23:10:43.170091802Z [2024-02-27 23:10:43.169] DEBUG: [podcastUtils] getPodcastFeed for "https://rss-bridge.org/bridge01/?action=display&bridge=ARDAudiothekBridge&path=https%3A%2F%2Fwww.ardaudiothek.de%2Fsendung%2F100-aus-100-die-hoerspiel-collection%2F12800327%2F&limit=&format=Atom" success - parsing xml (podcastUtils.js:254)
audiobookshelf  | 2024-02-27T23:10:43.206152232Z [2024-02-27 23:10:43.205] ERROR: [podcastUtils] Invalid XML or RSS feed (podcastUtils.js:201)
audiobookshelf  | 2024-02-27T23:21:16.826517083Z [2024-02-27 23:21:16.825] DEBUG: [podcastUtils] getPodcastFeed for "https://siftrss.com/f/By7vlK6Z3Q" (podcastUtils.js:229)
audiobookshelf  | 2024-02-27T23:21:17.856221879Z [2024-02-27 23:21:17.855] DEBUG: [podcastUtils] getPodcastFeed for "https://siftrss.com/f/By7vlK6Z3Q" success - parsing xml (podcastUtils.js:254)
audiobookshelf  | 2024-02-27T23:21:17.890041392Z [2024-02-27 23:21:17.889] ERROR: [podcastUtils] Invalid XML or RSS feed (podcastUtils.js:201)

But other Clients have no problems and w3c feed validator says, thats a correct feed: w3c validator

Update: Here is the correct Link. The first i wrote was wrong.
|||
VV
even on this siftrss Feed...

@zentonic commented on GitHub (Feb 28, 2024): i think it's an issue in podcastUtils.js here is what happens in the audiobookshelf container: ~~~ audiobookshelf | 2024-02-27T23:09:56.030029941Z [2024-02-27 23:09:56.029] ERROR: [podcastUtils] Invalid XML or RSS feed (podcastUtils.js:201) audiobookshelf | 2024-02-27T23:10:42.252620865Z [2024-02-27 23:10:42.252] DEBUG: [podcastUtils] getPodcastFeed for "https://rss-bridge.org/bridge01/?action=display&bridge=ARDAudiothekBridge&path=https%3A%2F%2Fwww.ardaudiothek.de%2Fsendung%2F100-aus-100-die-hoerspiel-collection%2F12800327%2F&limit=&format=Atom" (podcastUtils.js:229) audiobookshelf | 2024-02-27T23:10:43.170091802Z [2024-02-27 23:10:43.169] DEBUG: [podcastUtils] getPodcastFeed for "https://rss-bridge.org/bridge01/?action=display&bridge=ARDAudiothekBridge&path=https%3A%2F%2Fwww.ardaudiothek.de%2Fsendung%2F100-aus-100-die-hoerspiel-collection%2F12800327%2F&limit=&format=Atom" success - parsing xml (podcastUtils.js:254) audiobookshelf | 2024-02-27T23:10:43.206152232Z [2024-02-27 23:10:43.205] ERROR: [podcastUtils] Invalid XML or RSS feed (podcastUtils.js:201) audiobookshelf | 2024-02-27T23:21:16.826517083Z [2024-02-27 23:21:16.825] DEBUG: [podcastUtils] getPodcastFeed for "https://siftrss.com/f/By7vlK6Z3Q" (podcastUtils.js:229) audiobookshelf | 2024-02-27T23:21:17.856221879Z [2024-02-27 23:21:17.855] DEBUG: [podcastUtils] getPodcastFeed for "https://siftrss.com/f/By7vlK6Z3Q" success - parsing xml (podcastUtils.js:254) audiobookshelf | 2024-02-27T23:21:17.890041392Z [2024-02-27 23:21:17.889] ERROR: [podcastUtils] Invalid XML or RSS feed (podcastUtils.js:201) ~~~ But other Clients have no problems and w3c feed validator says, thats a correct feed: [w3c validator](https://validator.w3.org/feed/check.cgi?url=https%3A%2F%2Frss-bridge.org%2Fbridge01%2F%3Faction%3Ddisplay%26bridge%3DARDAudiothekBridge%26path%3Dhttps%253A%252F%252Fwww.ardaudiothek.de%252Fsendung%252F100-aus-100-die-hoerspiel-collection%252F12800327%252F%26limit%3D%26format%3DAtom) **Update:** Here is the correct Link. The first i wrote was wrong. ||| VV even on [this siftrss](https://siftrss.com/f/By7vlK6Z3Q) Feed...
adam commented 2026-04-24 23:54:56 +02:00
Author
Owner
Copy Link
Copy Source

@advplyr commented on GitHub (Feb 28, 2024):

I've not seen a podcast RSS feed that looks like the one you are using.

The RSS feeds Abs is expecting look like this: https://help.apple.com/itc/podcasts_connect/#/itcbaf351599

https://www.castfeedvalidator.com/validate.php?url=https://siftrss.com/f/By7vlK6Z3Q

Abs is expecting the <rss> tag as the opening tag not <feed>. I'm not sure if that is a requirement for podcast rss feeds, I've just not seen it done otherwise.

Are you able to add that RSS feed to other podcast apps? I doubt that would be recognized as a podcast

@advplyr commented on GitHub (Feb 28, 2024): I've not seen a podcast RSS feed that looks like the one you are using. The RSS feeds Abs is expecting look like this: https://help.apple.com/itc/podcasts_connect/#/itcbaf351599 https://www.castfeedvalidator.com/validate.php?url=https://siftrss.com/f/By7vlK6Z3Q Abs is expecting the `<rss>` tag as the opening tag not `<feed>`. I'm not sure if that is a requirement for podcast rss feeds, I've just not seen it done otherwise. Are you able to add that RSS feed to other podcast apps? I doubt that would be recognized as a podcast
adam commented 2026-04-24 23:54:57 +02:00
Author
Owner
Copy Link
Copy Source

@undaunt commented on GitHub (Feb 28, 2024):

@zentonic Thanks for jumping in as I've been super busy recently.

@advplyr They acknowledge on rss-bridge's end that their feed handling isn't totally spot on in reproducing a feed that has been filtered like SiftRSS is, however I'm able to add an rss-bridge feed to other podcast applications without an error as well.

@undaunt commented on GitHub (Feb 28, 2024): @zentonic Thanks for jumping in as I've been super busy recently. @advplyr They acknowledge on rss-bridge's end that their feed handling isn't totally spot on in reproducing a feed that has been filtered like SiftRSS is, however I'm able to add an rss-bridge feed to other podcast applications without an error as well.
adam commented 2026-04-24 23:54:57 +02:00
Author
Owner
Copy Link
Copy Source

@advplyr commented on GitHub (Feb 28, 2024):

What podcast app accepts that format of RSS feed so that I can test it out?

@advplyr commented on GitHub (Feb 28, 2024): What podcast app accepts that format of RSS feed so that I can test it out?
adam commented 2026-04-24 23:54:58 +02:00
Author
Owner
Copy Link
Copy Source

@zentonic commented on GitHub (Feb 28, 2024):

Are you able to add that RSS feed to other podcast apps? I doubt that would be recognized as a podcast

I am particularly interested in this feed:
https://www.ardaudiothek.de/sendung/100-aus-100-die-hoerspiel-collection/12800327/

Unfortunately, not all "podcasts" from German radio stations have real feeds.

That's why I'm glad that rss bridge is now building them. On the page you can select ATOM and then this feed appears.

This is w3c validatable and can also be used in AntennaPOD, for example.

1000006416
1000006417

But i would prefer to use audiobookshelf instead for listening this productions :-)

siftrss was for me a experiment to "enhance" oder "clean up" the rss bridge feed. since i wrote a static-page podcast publisher i know that the feed thing is ugly. and all clients and libraries and servers do other things.

but i don't know what happens here.

@zentonic commented on GitHub (Feb 28, 2024): > Are you able to add that RSS feed to other podcast apps? I doubt that would be recognized as a podcast I am particularly interested in this feed: https://www.ardaudiothek.de/sendung/100-aus-100-die-hoerspiel-collection/12800327/ Unfortunately, not all "podcasts" from German radio stations have real feeds. That's why I'm glad that rss bridge is now building them. On the [page](https://rss-bridge.org/bridge01/?action=display&bridge=ARDAudiothekBridge&path=https%3A%2F%2Fwww.ardaudiothek.de%2Fsendung%2F100-aus-100-die-hoerspiel-collection%2F12800327%2F&limit=&format=Html) you can select ATOM and then this [feed](https://rss-bridge.org/bridge01/?action=display&bridge=ARDAudiothekBridge&path=https%3A%2F%2Fwww.ardaudiothek.de%2Fsendung%2F100-aus-100-die-hoerspiel-collection%2F12800327%2F&limit=&format=Atom) appears. This is w3c validatable and can also be used in AntennaPOD, for example. ![1000006416](https://github.com/advplyr/audiobookshelf/assets/7555550/39ac9029-43cc-4696-b886-7426074793c5) ![1000006417](https://github.com/advplyr/audiobookshelf/assets/7555550/7af62626-53cc-4023-85de-b0d20e1d8301) But i would prefer to use audiobookshelf instead for listening this productions :-) siftrss was for me a experiment to "enhance" oder "clean up" the rss bridge feed. since i wrote a static-page podcast publisher i know that the feed thing is ugly. and all clients and libraries and servers do other things. but i don't know what happens here.
adam commented 2026-04-24 23:54:58 +02:00
Author
Owner
Copy Link
Copy Source

@undaunt commented on GitHub (Feb 28, 2024):

What podcast app accepts that format of RSS feed so that I can test it out?

Apple Podcasts loads the feed without issue on my iPhone.

@undaunt commented on GitHub (Feb 28, 2024): > What podcast app accepts that format of RSS feed so that I can test it out? Apple Podcasts loads the feed without issue on my iPhone.
adam commented 2026-04-24 23:54:59 +02:00
Author
Owner
Copy Link
Copy Source

@zentonic commented on GitHub (Mar 2, 2024):

instead of

<?xml version="1.0" encoding="UTF-8"?>
<rss 
…

rss-bridges feed starts with

<?xml version="1.0"?>
<feed
…

after disabling in https://github.com/advplyr/audiobookshelf/blob/master/server/utils/podcastUtils.js ... around line 200 !json?.rss

there is a new error:

audiobookshelf  | 2024-03-02T11:29:04.925558727Z [2024-03-02 11:29:04.924] ERROR: [podcastUtils] getPodcastFeed Error Error: Call to 10.13.123.254 is blocked.

BUT:
For ARD Audiothek there is another Feed Generator: https://github.com/matztam/ARD-Audiothek-RSS/blob/main/ardaudiothek-rss.php

The Feeds from there are working fine (slow but fine and also only on external domains, not in LAN) without any changes in Audiobookshelf.

@zentonic commented on GitHub (Mar 2, 2024): instead of ~~~ <?xml version="1.0" encoding="UTF-8"?> <rss … ~~~ rss-bridges feed starts with ~~~ <?xml version="1.0"?> <feed … ~~~ after disabling in https://github.com/advplyr/audiobookshelf/blob/master/server/utils/podcastUtils.js ... around line 200 !json?.rss there is a new error: ~~~ audiobookshelf | 2024-03-02T11:29:04.925558727Z [2024-03-02 11:29:04.924] ERROR: [podcastUtils] getPodcastFeed Error Error: Call to 10.13.123.254 is blocked. ~~~ BUT: For ARD Audiothek there is another Feed Generator: https://github.com/matztam/ARD-Audiothek-RSS/blob/main/ardaudiothek-rss.php The Feeds from there are working fine (slow but fine and also only on external domains, not in LAN) without any changes in Audiobookshelf.
adam commented 2026-04-24 23:54:59 +02:00
Author
Owner
Copy Link
Copy Source

@advplyr commented on GitHub (Mar 2, 2024):

That has to do with an SSRF filter blocking internal IPs. That was put in after a security advisory but a way to disable that is going to be put in soon. I'm not sure what that will be yet but probably an environment variable.

@advplyr commented on GitHub (Mar 2, 2024): That has to do with an SSRF filter blocking internal IPs. That was put in after a security advisory but a way to disable that is going to be put in soon. I'm not sure what that will be yet but probably an environment variable.
adam commented 2026-04-24 23:55:01 +02:00
Author
Owner
Copy Link
Copy Source

@advplyr commented on GitHub (Jul 9, 2024):

Added in v2.11.0

Using environment variable DISABLE_SSRF_REQUEST_FILTER=1

@advplyr commented on GitHub (Jul 9, 2024): Added in [v2.11.0](https://github.com/advplyr/audiobookshelf/releases/tag/v2.11.0) Using environment variable `DISABLE_SSRF_REQUEST_FILTER=1`
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
authentication
backlog
bug
chapter editor
config-issue
ebooks
encoding/embedding
enhancement
help wanted
listening sessions & progress
planned
possible plugin
progress sync
pull-request
Mirrored from GitHub Pull Request
 sorting/filtering/searching
unable to reproduce
upload
users & permissions
waiting
No Label enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam (Adam Melkus)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/audiobookshelf#1687
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?