salvacybersec/Youtube2Feed
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

api key and security

Browse Source
This commit is contained in:
salvacybersec
2025-11-13 03:40:05 +03:00
parent 763a5a0a01
commit 372ed6401b
7 changed files with 1210 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
src/database.py
View File

@@ -3,6 +3,7 @@ SQLite veritabanı yönetimi modülü
"""
import sqlite3
import os
import re
from datetime import datetime, timezone
from typing import Optional, List, Dict
@@ -89,8 +90,24 @@ class Database:
if self.conn:
self.conn.close()
def _validate_video_id(self, video_id: str) -> bool:
"""Video ID formatını doğrula (SQL injection koruması)"""
if not video_id or len(video_id) > 20:
return False
# YouTube video ID: 11 karakter, alfanumerik + _ -
return bool(re.match(r'^[a-zA-Z0-9_-]{11}$', video_id))
def _validate_channel_id(self, channel_id: str) -> bool:
"""Channel ID formatını doğrula (SQL injection koruması)"""
if not channel_id or len(channel_id) > 50:
return False
# YouTube channel ID: UC ile başlayan 24 karakter
return bool(re.match(r'^UC[a-zA-Z0-9_-]{22}$', channel_id))
def is_video_processed(self, video_id: str) -> bool:
"""Video işlenmiş mi kontrol et"""
if not self._validate_video_id(video_id):
raise ValueError(f"Geçersiz video_id formatı: {video_id}")
cursor = self.conn.cursor()
cursor.execute("SELECT video_id FROM videos WHERE video_id = ?", (video_id,))
return cursor.fetchone() is not None
@@ -107,16 +124,26 @@ class Database:
def add_video(self, video_data: Dict):
"""Yeni video ekle (status=0 olarak)"""
# Input validation
video_id = video_data.get('video_id')
channel_id = video_data.get('channel_id')
if not self._validate_video_id(video_id):
raise ValueError(f"Geçersiz video_id formatı: {video_id}")
if channel_id and not self._validate_channel_id(channel_id):
raise ValueError(f"Geçersiz channel_id formatı: {channel_id}")
cursor = self.conn.cursor()
cursor.execute("""
INSERT OR IGNORE INTO videos
(video_id, channel_id, video_title, video_url, published_at_utc, transcript_status)
VALUES (?, ?, ?, ?, ?, 0)
""", (
video_data['video_id'],
video_data.get('channel_id'),
video_data.get('video_title'),
video_data.get('video_url'),
video_id,
channel_id,
video_data.get('video_title', '')[:500], # Max length
video_data.get('video_url', '')[:500], # Max length
video_data.get('published_at_utc')
))
self.conn.commit()
@@ -124,6 +151,13 @@ class Database:
def update_video_transcript(self, video_id: str, raw: str, clean: str,
status: int, language: Optional[str] = None):
"""Video transcript'ini güncelle"""
# Input validation
if not self._validate_video_id(video_id):
raise ValueError(f"Geçersiz video_id formatı: {video_id}")
if status not in [0, 1, 2]:
raise ValueError(f"Geçersiz status değeri: {status}")
cursor = self.conn.cursor()
now_utc = datetime.now(timezone.utc).isoformat()
cursor.execute("""
@@ -141,6 +175,13 @@ class Database:
def get_processed_videos(self, limit: Optional[int] = None,
channel_id: Optional[str] = None) -> List[Dict]:
"""İşlenmiş videoları getir (status=1)"""
# Input validation
if channel_id and not self._validate_channel_id(channel_id):
raise ValueError(f"Geçersiz channel_id formatı: {channel_id}")
if limit is not None and (not isinstance(limit, int) or limit < 1 or limit > 1000):
raise ValueError(f"Geçersiz limit değeri: {limit} (1-1000 arası olmalı)")
cursor = self.conn.cursor()
query = """
SELECT * FROM videos
@@ -163,6 +204,10 @@ class Database:
def mark_video_failed(self, video_id: str, reason: Optional[str] = None):
"""Video'yu başarısız olarak işaretle (status=2)"""
# Input validation
if not self._validate_video_id(video_id):
raise ValueError(f"Geçersiz video_id formatı: {video_id}")
cursor = self.conn.cursor()
cursor.execute("""
UPDATE videos

334
src/security.py Normal file
View File

@@ -0,0 +1,334 @@
"""
Güvenlik modülü: Authentication, Rate Limiting, Input Validation
"""
import re
import hashlib
import hmac
import time
from functools import wraps
from flask import request, jsonify, g
from typing import Optional, Dict, List
from collections import defaultdict
from datetime import datetime, timedelta
class SecurityManager:
"""Güvenlik yönetim sınıfı"""
def __init__(self, api_keys: Dict[str, Dict] = None, rate_limit_per_minute: int = 60):
"""
Args:
api_keys: API key dict {key: {name, rate_limit, enabled}}
rate_limit_per_minute: Varsayılan rate limit
"""
self.api_keys = api_keys or {}
self.rate_limit_per_minute = rate_limit_per_minute
# Rate limiting için: {ip_or_key: [(timestamp, ...)]}
self.rate_limit_store = defaultdict(list)
# IP bazlı rate limiting
self.ip_rate_limits = defaultdict(list)
def validate_api_key(self, api_key: Optional[str]) -> tuple[bool, Optional[Dict]]:
"""
API key doğrula
Returns:
(is_valid, key_info) tuple
"""
if not api_key:
return False, None
# API key'i hash'le ve karşılaştır
key_info = self.api_keys.get(api_key)
if key_info and key_info.get('enabled', True):
return True, key_info
return False, None
def check_rate_limit(self, identifier: str, limit: int = None) -> tuple[bool, int]:
"""
Rate limit kontrolü
Args:
identifier: IP adresi veya API key
limit: Rate limit (None ise varsayılan kullanılır)
Returns:
(is_allowed, remaining_requests) tuple
"""
if limit is None:
limit = self.rate_limit_per_minute
now = time.time()
minute_ago = now - 60
# Eski kayıtları temizle
self.rate_limit_store[identifier] = [
ts for ts in self.rate_limit_store[identifier] if ts > minute_ago
]
# Rate limit kontrolü
if len(self.rate_limit_store[identifier]) >= limit:
remaining = 0
return False, remaining
# Yeni isteği kaydet
self.rate_limit_store[identifier].append(now)
remaining = limit - len(self.rate_limit_store[identifier])
return True, remaining
def sanitize_input(self, text: str, max_length: int = 500) -> str:
"""
Input sanitization (XSS koruması)
Args:
text: Temizlenecek metin
max_length: Maksimum uzunluk
Returns:
Temizlenmiş metin
"""
if not text:
return ""
# Uzunluk kontrolü
text = text[:max_length]
# Tehlikeli karakterleri temizle
# HTML tag'lerini kaldır (basit)
text = re.sub(r'<[^>]+>', '', text)
# Script tag'lerini kaldır
text = re.sub(r'<script[^>]*>.*?</script>', '', text, flags=re.IGNORECASE | re.DOTALL)
# JavaScript event handler'ları kaldır
text = re.sub(r'on\w+\s*=', '', text, flags=re.IGNORECASE)
return text.strip()
def validate_channel_id(self, channel_id: str) -> bool:
"""
Channel ID formatını doğrula
Args:
channel_id: YouTube Channel ID
Returns:
Geçerli mi?
"""
if not channel_id:
return False
# UC ile başlayan 24 karakter
if re.match(r'^UC[a-zA-Z0-9_-]{22}$', channel_id):
return True
return False
def validate_channel_handle(self, handle: str) -> bool:
"""
Channel handle formatını doğrula
Args:
handle: @username veya username
Returns:
Geçerli mi?
"""
if not handle:
return False
# @ ile başlayan veya başlamayan, alfanumerik + _ - karakterler
handle = handle.lstrip('@')
if re.match(r'^[a-zA-Z0-9_-]{1,30}$', handle):
return True
return False
def validate_url(self, url: str) -> bool:
"""
URL formatını doğrula
Args:
url: URL string
Returns:
Geçerli mi?
"""
if not url:
return False
# Sadece YouTube URL'lerine izin ver
youtube_patterns = [
r'^https?://(www\.)?youtube\.com/channel/[a-zA-Z0-9_-]+',
r'^https?://(www\.)?youtube\.com/@[a-zA-Z0-9_-]+',
r'^https?://(www\.)?youtu\.be/[a-zA-Z0-9_-]+',
]
for pattern in youtube_patterns:
if re.match(pattern, url):
return True
return False
def validate_max_items(self, max_items: int) -> bool:
"""
max_items parametresini doğrula
Args:
max_items: Maksimum item sayısı
Returns:
Geçerli mi?
"""
return isinstance(max_items, int) and 1 <= max_items <= 500
# Global security manager instance
_security_manager = None
def init_security(api_keys: Dict[str, Dict] = None, rate_limit: int = 60):
"""Security manager'ı initialize et"""
global _security_manager
_security_manager = SecurityManager(api_keys, rate_limit)
return _security_manager
def get_security_manager() -> SecurityManager:
"""Security manager instance'ı al"""
global _security_manager
if _security_manager is None:
_security_manager = SecurityManager()
return _security_manager
def require_api_key(f):
"""API key gerektiren decorator"""
@wraps(f)
def decorated_function(*args, **kwargs):
security = get_security_manager()
# API key'i header'dan veya query'den al
api_key = request.headers.get('X-API-Key') or request.args.get('api_key')
is_valid, key_info = security.validate_api_key(api_key)
if not is_valid:
return jsonify({
'error': 'Geçersiz veya eksik API key',
'message': 'X-API-Key header veya api_key query parametresi gerekli'
}), 401
# Rate limit kontrolü (API key bazlı)
key_rate_limit = key_info.get('rate_limit', security.rate_limit_per_minute)
is_allowed, remaining = security.check_rate_limit(api_key, key_rate_limit)
if not is_allowed:
return jsonify({
'error': 'Rate limit aşıldı',
'message': f'Dakikada {key_rate_limit} istek limiti',
'retry_after': 60
}), 429
# API key bilgisini g context'e ekle
g.api_key = api_key
g.api_key_info = key_info
# Response header'a remaining ekle
g.rate_limit_remaining = remaining
return f(*args, **kwargs)
return decorated_function
def rate_limit(limit_per_minute: int = 60):
"""Rate limiting decorator (IP bazlı)"""
def decorator(f):
@wraps(f)
def decorated_function(*args, **kwargs):
security = get_security_manager()
# IP adresini al
ip_address = request.environ.get('HTTP_X_FORWARDED_FOR', request.remote_addr)
if ip_address:
ip_address = ip_address.split(',')[0].strip()
# Rate limit kontrolü
is_allowed, remaining = security.check_rate_limit(ip_address, limit_per_minute)
if not is_allowed:
return jsonify({
'error': 'Rate limit aşıldı',
'message': f'Dakikada {limit_per_minute} istek limiti',
'retry_after': 60
}), 429
g.rate_limit_remaining = remaining
return f(*args, **kwargs)
return decorated_function
return decorator
def validate_input(f):
"""Input validation decorator"""
@wraps(f)
def decorated_function(*args, **kwargs):
security = get_security_manager()
# Query parametrelerini validate et
channel_id = request.args.get('channel_id')
channel = request.args.get('channel')
channel_url = request.args.get('channel_url')
max_items = request.args.get('max_items', '50')
# Channel ID validation
if channel_id and not security.validate_channel_id(channel_id):
return jsonify({
'error': 'Geçersiz channel_id formatı',
'message': 'Channel ID UC ile başlayan 24 karakter olmalı'
}), 400
# Channel handle validation
if channel and not security.validate_channel_handle(channel):
return jsonify({
'error': 'Geçersiz channel handle formatı',
'message': 'Channel handle alfanumerik karakterler içermeli (maks 30 karakter)'
}), 400
# Channel URL validation
if channel_url and not security.validate_url(channel_url):
return jsonify({
'error': 'Geçersiz channel_url formatı',
'message': 'Sadece YouTube URL\'lerine izin verilir'
}), 400
# max_items validation
try:
max_items_int = int(max_items)
if not security.validate_max_items(max_items_int):
return jsonify({
'error': 'Geçersiz max_items değeri',
'message': 'max_items 1-500 arasında olmalı'
}), 400
except ValueError:
return jsonify({
'error': 'Geçersiz max_items formatı',
'message': 'max_items sayı olmalı'
}), 400
# Input sanitization
if channel_id:
channel_id = security.sanitize_input(channel_id, max_length=50)
if channel:
channel = security.sanitize_input(channel, max_length=50)
if channel_url:
channel_url = security.sanitize_input(channel_url, max_length=200)
return f(*args, **kwargs)
return decorated_function

95
src/web_server.py
View File

@@ -1,9 +1,11 @@
"""
Flask web server - RSS-Bridge benzeri URL template sistemi
"""
from flask import Flask, request, Response, jsonify
from flask import Flask, request, Response, jsonify, g, after_request
from typing import Optional
import sys
import os
import yaml
from pathlib import Path
sys.path.insert(0, str(Path(__file__).parent.parent))
@@ -13,10 +15,80 @@ from src.video_fetcher import fetch_videos_from_rss_bridge, get_channel_id_from_
from src.transcript_extractor import TranscriptExtractor
from src.transcript_cleaner import TranscriptCleaner
from src.rss_generator import RSSGenerator
from src.security import (
init_security, get_security_manager,
require_api_key, rate_limit, validate_input
)
app = Flask(__name__)
# Security config yükle
_security_config = None
def load_security_config():
"""Security config'i yükle"""
global _security_config
if _security_config is None:
config_path = Path(__file__).parent.parent / 'config' / 'security.yaml'
if config_path.exists():
with open(config_path, 'r', encoding='utf-8') as f:
_security_config = yaml.safe_load(f).get('security', {})
else:
_security_config = {}
return _security_config
# Security manager'ı initialize et
def init_app_security():
"""Security manager'ı uygulama başlangıcında initialize et"""
config = load_security_config()
api_keys = config.get('api_keys', {})
default_rate_limit = config.get('default_rate_limit', 60)
init_security(api_keys, default_rate_limit)
# Security headers ve CORS middleware
@app.after_request
def add_security_headers(response):
"""Security header'ları ekle"""
config = load_security_config()
headers = config.get('security_headers', {})
for header, value in headers.items():
response.headers[header] = value
# CORS headers
cors_config = config.get('cors', {})
if cors_config.get('enabled', True):
origins = cors_config.get('allowed_origins', ['*'])
if '*' in origins:
response.headers['Access-Control-Allow-Origin'] = '*'
else:
origin = request.headers.get('Origin')
if origin in origins:
response.headers['Access-Control-Allow-Origin'] = origin
response.headers['Access-Control-Allow-Methods'] = ', '.join(
cors_config.get('allowed_methods', ['GET', 'OPTIONS'])
)
response.headers['Access-Control-Allow-Headers'] = ', '.join(
cors_config.get('allowed_headers', ['Content-Type', 'X-API-Key'])
)
# Rate limit bilgisini header'a ekle
if hasattr(g, 'rate_limit_remaining'):
response.headers['X-RateLimit-Remaining'] = str(g.rate_limit_remaining)
return response
# OPTIONS handler for CORS
@app.route('/', methods=['OPTIONS'])
@app.route('/<path:path>', methods=['OPTIONS'])
def handle_options(path=None):
"""CORS preflight request handler"""
return Response(status=200)
# Uygulama başlangıcında security'yi initialize et
init_app_security()
# Global instances (lazy loading)
db = None
extractor = None
@@ -165,6 +237,8 @@ def process_channel(channel_id: str, max_items: int = 50) -> dict:
@app.route('/', methods=['GET'])
@require_api_key # API key zorunlu
@validate_input # Input validation
def generate_feed():
"""
RSS-Bridge benzeri URL template:
@@ -174,12 +248,15 @@ def generate_feed():
- /?channel=@tavakfi&format=Atom
- /?channel_url=https://www.youtube.com/@tavakfi&format=Atom
"""
# Query parametrelerini al
# Query parametrelerini al (validate_input decorator zaten sanitize etti)
channel_id = request.args.get('channel_id')
channel = request.args.get('channel') # @username veya username
channel_url = request.args.get('channel_url')
format_type = request.args.get('format', 'Atom').lower() # Atom veya Rss
max_items = int(request.args.get('max_items', 50))
try:
max_items = int(request.args.get('max_items', 50))
except (ValueError, TypeError):
max_items = 50
# Channel ID'yi normalize et
normalized_channel_id = normalize_channel_id(
@@ -226,20 +303,26 @@ def generate_feed():
generator.add_video_entry(video)
# Format'a göre döndür
response_headers = {}
if hasattr(g, 'rate_limit_remaining'):
response_headers['X-RateLimit-Remaining'] = str(g.rate_limit_remaining)
if format_type == 'rss':
rss_content = generator.generate_rss_string()
response_headers['Content-Type'] = 'application/rss+xml; charset=utf-8'
return Response(
rss_content,
mimetype='application/rss+xml',
headers={'Content-Type': 'application/rss+xml; charset=utf-8'}
headers=response_headers
)
else: # Atom
# Feedgen Atom desteği
atom_content = generator.generate_atom_string()
response_headers['Content-Type'] = 'application/atom+xml; charset=utf-8'
return Response(
atom_content,
mimetype='application/atom+xml',
headers={'Content-Type': 'application/atom+xml; charset=utf-8'}
headers=response_headers
)
except Exception as e:
@@ -250,12 +333,14 @@ def generate_feed():
@app.route('/health', methods=['GET'])
@rate_limit(limit_per_minute=120) # Health check için daha yüksek limit
def health():
"""Health check endpoint"""
return jsonify({'status': 'ok', 'service': 'YouTube Transcript RSS Feed'})
@app.route('/info', methods=['GET'])
@require_api_key # API key zorunlu
def info():
"""API bilgileri"""
return jsonify({