Scope
Surfaced by the security-reviewer subagent during pre-push review of PR #261 (xvideos HLS fragments migration) and applies equally to PR #260 (xnxx). Severity: LOW (test-coverage gap, not a runtime defect).
Background
WgczNetworkBase::extract_format_urls applies require_http_scheme to every captured URL, so a script-injected javascript: or file:// URI in setVideoHLS(...) is filtered out before reaching Format construction. When the HLS URL is rejected, fmt_urls.hls is None and the HLS row is never emitted — build_info (xvideos) / extract (xnxx) returns RdlpError::Extraction { "no formats found" } before expand_hls_in_place is ever called.
The behaviour is safe by construction, but neither xnxx nor xvideos has a test that locks down the contract at the wiring layer. If someone refactored require_http_scheme away or changed WgczFormatUrls to surface non-http(s) URLs, the regression would only fail in a security audit, not in CI.
Acceptance criteria
References
Scope
Surfaced by the security-reviewer subagent during pre-push review of PR #261 (xvideos HLS fragments migration) and applies equally to PR #260 (xnxx). Severity: LOW (test-coverage gap, not a runtime defect).
Background
WgczNetworkBase::extract_format_urlsappliesrequire_http_schemeto every captured URL, so a script-injectedjavascript:orfile://URI insetVideoHLS(...)is filtered out before reachingFormatconstruction. When the HLS URL is rejected,fmt_urls.hlsisNoneand the HLS row is never emitted —build_info(xvideos) /extract(xnxx) returnsRdlpError::Extraction { "no formats found" }beforeexpand_hls_in_placeis ever called.The behaviour is safe by construction, but neither xnxx nor xvideos has a test that locks down the contract at the wiring layer. If someone refactored
require_http_schemeaway or changedWgczFormatUrlsto surface non-http(s) URLs, the regression would only fail in a security audit, not in CI.Acceptance criteria
crates/rdlp-extractor/src/extractors/xnxx/mod.rsasserting that an HTML fixture whosesetVideoHLS(...)contains afile:///etc/passwd(orjavascript:alert(1), or any non-http(s)) URL producesErr(RdlpError::Extraction { ... })fromextract, and thatexpand_hls_in_placeis never reached.crates/rdlp-extractor/src/extractors/xvideos/mod.rsagainstbuild_info.WgczNetworkBase::extract_format_urlsitself confirmingrequire_http_schemerejectsfile:///javascript:schemes forsetVideoHLS/setVideoUrlLow/setVideoUrlHigh— covers both extractors with one fixture.References
a9f13f7b48e1a3280)crates/rdlp-extractor/src/hls/expand_in_place.rs