From 2133f5323c094fe7a92c3087ddb12489cc991c7f Mon Sep 17 00:00:00 2001
From: Alex X <alexey.khit@gmail.com>
Date: Tue, 11 Nov 2025 17:33:15 +0300
Subject: [PATCH] Add insecure sources logic

---
 internal/echo/echo.go        |  1 +
 internal/exec/exec.go        |  1 +
 internal/expr/expr.go        |  1 +
 internal/streams/handlers.go | 22 ++++++++++++++++++++++
 internal/streams/streams.go  | 12 ------------
 5 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/internal/echo/echo.go b/internal/echo/echo.go
index e8dffbd2..f33982fa 100644
--- a/internal/echo/echo.go
+++ b/internal/echo/echo.go
@@ -42,4 +42,5 @@ func Init() {
 
 		return string(b), nil
 	})
+	streams.MarkInsecure("echo")
 }
diff --git a/internal/exec/exec.go b/internal/exec/exec.go
index aa7df688..bf99168f 100644
--- a/internal/exec/exec.go
+++ b/internal/exec/exec.go
@@ -56,6 +56,7 @@ func Init() {
 	})
 
 	streams.HandleFunc("exec", execHandle)
+	streams.MarkInsecure("exec")
 
 	log = app.GetLogger("exec")
 }
diff --git a/internal/expr/expr.go b/internal/expr/expr.go
index 8fd6c9c2..60d32a84 100644
--- a/internal/expr/expr.go
+++ b/internal/expr/expr.go
@@ -25,4 +25,5 @@ func Init() {
 
 		return url, nil
 	})
+	streams.MarkInsecure("expr")
 }
diff --git a/internal/streams/handlers.go b/internal/streams/handlers.go
index 3240abb5..8922bb8d 100644
--- a/internal/streams/handlers.go
+++ b/internal/streams/handlers.go
@@ -2,6 +2,7 @@ package streams
 
 import (
 	"errors"
+	"regexp"
 	"strings"
 
 	"github.com/AlexxIT/go2rtc/pkg/core"
@@ -95,3 +96,24 @@ func GetConsumer(url string) (core.Consumer, func(), error) {
 
 	return nil, nil, errors.New("streams: unsupported scheme: " + url)
 }
+
+var insecure = map[string]bool{}
+
+func MarkInsecure(scheme string) {
+	insecure[scheme] = true
+}
+
+var sanitize = regexp.MustCompile(`\s`)
+
+func Validate(source string) error {
+	// TODO: Review the entire logic of insecure sources
+	if i := strings.IndexByte(source, ':'); i > 0 {
+		if insecure[source[:i]] {
+			return errors.New("streams: source from insecure producer")
+		}
+	}
+	if sanitize.MatchString(source) {
+		return errors.New("streams: source with spaces may be insecure")
+	}
+	return nil
+}
diff --git a/internal/streams/streams.go b/internal/streams/streams.go
index 1f110987..633ad2d1 100644
--- a/internal/streams/streams.go
+++ b/internal/streams/streams.go
@@ -1,9 +1,7 @@
 package streams
 
 import (
-	"errors"
 	"net/url"
-	"regexp"
 	"sync"
 	"time"
 
@@ -50,16 +48,6 @@ func Init() {
 	})
 }
 
-var sanitize = regexp.MustCompile(`\s`)
-
-// Validate - not allow creating dynamic streams with spaces in the source
-func Validate(source string) error {
-	if sanitize.MatchString(source) {
-		return errors.New("streams: invalid dynamic source")
-	}
-	return nil
-}
-
 func New(name string, sources ...string) *Stream {
 	for _, source := range sources {
 		if Validate(source) != nil {