hbbs: enforce outbound initiator whitelist by peer ID by tango103 · Pull Request #1 · tango103/rustdesk-server

tango103 · 2026-03-09T15:50:33Z

Add server-side enforcement so only authorized peer IDs can initiate outbound (A->B) punch-hole/relay requests while keeping inbound receive behavior unchanged.
Provide a simple, file-based whitelist (whitelist.txt) that is easy to edit on the server and only affects hbbs logic.

Load whitelist.txt at hbbs startup (one ID per line, ignore empty lines and lines beginning with #) and store it in RendezvousServer::outbound_whitelist via load_outbound_whitelist.
Before forwarding a PunchHoleRequest in handle_punch_hole_request, resolve the source peer ID from the request SocketAddr using a new helper PeerMap::get_id_by_socket_addr and reject the request if the source ID is missing or not in the whitelist.
Added PeerMap::get_id_by_socket_addr to map a SocketAddr to the peer ID by scanning the in-memory PeerMap.
Added a template whitelist.txt and updated src/rendezvous_server.rs and src/peer.rs to implement the feature.

Ran rustfmt on the modified files with rustfmt --edition 2021 src/rendezvous_server.rs src/peer.rs which completed successfully.
Attempted cargo fmt --all which failed in this environment because the workspace member libs/hbb_common is missing, so full workspace formatting could not be performed.
Attempted cargo check -p hbbs which failed for the same reason (libs/hbb_common/Cargo.toml missing), so a full build/check could not be completed here.

hbbs: enforce outbound initiator whitelist by peer ID

6791ff1

tango103 added the codex label Mar 9, 2026 — with ChatGPT Codex Connector

hbbs: allow configurable whitelist path and document format

f7415c9

Provide feedback