From 71310c5eb0db9122c4162966c5aad3feda1876cd Mon Sep 17 00:00:00 2001
From: Alessandro Ros <aler9.dev@gmail.com>
Date: Mon, 15 May 2023 10:51:00 +0200
Subject: [PATCH] webrtc: validate ICE servers in configuration (#1798)

---
 internal/conf/conf.go      | 10 +++++++++-
 internal/conf/conf_test.go | 38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/internal/conf/conf.go b/internal/conf/conf.go
index c6ac6792..3064171a 100644
--- a/internal/conf/conf.go
+++ b/internal/conf/conf.go
@@ -229,12 +229,20 @@ func (conf *Conf) Check() error {
 		if _, ok := conf.Protocols[Protocol(gortsplib.TransportUDP)]; ok {
 			return fmt.Errorf("strict encryption can't be used with the UDP transport protocol")
 		}
-
 		if _, ok := conf.Protocols[Protocol(gortsplib.TransportUDPMulticast)]; ok {
 			return fmt.Errorf("strict encryption can't be used with the UDP-multicast transport protocol")
 		}
 	}
 
+	// WebRTC
+	for _, server := range conf.WebRTCICEServers {
+		if !strings.HasPrefix(server, "stun:") &&
+			!strings.HasPrefix(server, "turn:") &&
+			!strings.HasPrefix(server, "turns:") {
+			return fmt.Errorf("invalid ICE server: '%s'", server)
+		}
+	}
+
 	// do not add automatically "all", since user may want to
 	// initialize all paths through API or hot reloading.
 	if conf.Paths == nil {
diff --git a/internal/conf/conf_test.go b/internal/conf/conf_test.go
index 87cc7a65..c466f74f 100644
--- a/internal/conf/conf_test.go
+++ b/internal/conf/conf_test.go
@@ -214,6 +214,44 @@ func TestConfErrors(t *testing.T) {
 			`invalid: param`,
 			"json: unknown field \"invalid\"",
 		},
+		{
+			"invalid readBufferCount",
+			"readBufferCount: 1001\n",
+			"'readBufferCount' must be a power of two",
+		},
+		{
+			"invalid udpMaxPayloadSize",
+			"udpMaxPayloadSize: 5000\n",
+			"'udpMaxPayloadSize' must be less than 1472",
+		},
+		{
+			"invalid externalAuthenticationURL 1",
+			"externalAuthenticationURL: testing\n",
+			"'externalAuthenticationURL' must be a HTTP URL",
+		},
+		{
+			"invalid externalAuthenticationURL 2",
+			"externalAuthenticationURL: http://myurl\n" +
+				"authMethods: [digest]\n",
+			"'externalAuthenticationURL' can't be used when 'digest' is in authMethods",
+		},
+		{
+			"invalid strict encryption 1",
+			"encryption: strict\n" +
+				"protocols: [udp]\n",
+			"strict encryption can't be used with the UDP transport protocol",
+		},
+		{
+			"invalid strict encryption 2",
+			"encryption: strict\n" +
+				"protocols: [multicast]\n",
+			"strict encryption can't be used with the UDP-multicast transport protocol",
+		},
+		{
+			"invalid ICE server",
+			"webrtcICEServers: [testing]\n",
+			"invalid ICE server: 'testing'",
+		},
 		{
 			"non existent parameter 2",
 			"paths:\n" +