From 640db3029e2d0947dd330ab8e5267cc1a8ee914a Mon Sep 17 00:00:00 2001
From: Alex X <alexey.khit@gmail.com>
Date: Tue, 11 Nov 2025 15:00:58 +0300
Subject: [PATCH] Add config allow_paths for exec module

---
 internal/exec/exec.go | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/internal/exec/exec.go b/internal/exec/exec.go
index 711be8a2..aa7df688 100644
--- a/internal/exec/exec.go
+++ b/internal/exec/exec.go
@@ -9,6 +9,7 @@ import (
 	"io"
 	"net/url"
 	"os"
+	"slices"
 	"strings"
 	"sync"
 	"syscall"
@@ -26,6 +27,16 @@ import (
 )
 
 func Init() {
+	var cfg struct {
+		Mod struct {
+			AllowPaths []string `yaml:"allow_paths"`
+		} `yaml:"exec"`
+	}
+
+	app.LoadConfig(&cfg)
+
+	allowPaths = cfg.Mod.AllowPaths
+
 	rtsp.HandleFunc(func(conn *pkg.Conn) bool {
 		waitersMu.Lock()
 		waiter := waiters[conn.URL.Path]
@@ -49,6 +60,8 @@ func Init() {
 	log = app.GetLogger("exec")
 }
 
+var allowPaths []string
+
 func execHandle(rawURL string) (prod core.Producer, err error) {
 	rawURL, rawQuery, _ := strings.Cut(rawURL, "#")
 	query := streams.ParseQuery(rawQuery)
@@ -73,6 +86,10 @@ func execHandle(rawURL string) (prod core.Producer, err error) {
 		debug: log.Debug().Enabled(),
 	}
 
+	if allowPaths != nil && !slices.Contains(allowPaths, cmd.Args[0]) {
+		return nil, errors.New("exec: bin not in allow_paths: " + cmd.Args[0])
+	}
+
 	if s := query.Get("killsignal"); s != "" {
 		sig := syscall.Signal(core.Atoi(s))
 		cmd.Cancel = func() error {