背景与价值WebRTC需要外部STUN/TURN与信令。统一白名单与候选过滤可阻断不受控外联并提升可靠性。统一规范信令权限:校验信令令牌与来源域。STUN/TURN白名单:仅允许批准的服务器域与凭证。ICE候选过滤:拒绝私网与环回候选,限制协议与端口。核心实现白名单与候选过滤type IceServer = { urls: string[]; username?: string; credential?: string } const allowServers = new Set(['stun:stun.l.google.com:19302','turns:turn.company.example:443']) function serverAllowed(s: IceServer): boolean { for (const u of s.urls) if (!allowServers.has(u)) return false return true } function ipv4ToInt(ip: string): number { const m = ip.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/); if (!m) return -1; const n = m.slice(1).map(Number); for (const x of n) if (x<0||x>255) return -1; return ((n[0]<<24)>>>0)+(n[1]<<16)+(n[2]<<8)+n[3] } function inCidr(ip: string, cidr: string): boolean { const [b,p] = cidr.split('/'); const base = ipv4ToInt(b); const mask = (~0 << (32-Number(p)))>>>0; const v = ipv4ToInt(ip); if (base<0||v<0) return false; return (v & mask) === (base & mask) } const blockedCidrs = ['10.0.0.0/8','172.16.0.0/12','192.168.0.0/16','127.0.0.0/8','169.254.0.0/16'] function candidateAllowed(c: RTCIceCandidateInit): boolean { const s = String(c.candidate || '') const m = s.match(/candidate:\S+\s\d+\s(udp|tcp)\s\S+\s([0-9.]+)\s(\d+)/) if (!m) return false const proto = m[1] const ip = m[2] const port = Number(m[3]) if (proto !== 'udp' && proto !== 'tcp') return false if (port !== 443 && port !== 3478 && port !== 19302) return false for (const c of blockedCidrs) if (inCidr(ip, c)) return false return true } 信令权限校验(示意)function validToken(t: string): boolean { return /^[A-Za-z0-9_\-\.]{16,128}$/.test(t) } function originAllowed(url: string): boolean { try { const u = new URL(url); return u.origin === 'https://app.example.com' } catch { return false } } 落地建议信令通道与令牌校验结合来源白名单,仅允许受控页面使用WebRTC。STUN/TURN服务器统一配置与白名单校验,拒绝非受控地址与凭证。过滤ICE候选私网与不合规端口,减少内网泄露与出站风险。验证清单信令令牌是否通过格式校验与来源是否受控。ICE服务器与候选是否命中白名单与过滤规则。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复