Skip to content

feat: play audio files from Discord attachments#255

Open
afonsojramos wants to merge 8 commits intomainfrom
feat/attachments-play
Open

feat: play audio files from Discord attachments#255
afonsojramos wants to merge 8 commits intomainfrom
feat/attachments-play

Conversation

@afonsojramos
Copy link
Collaborator

@afonsojramos afonsojramos commented Dec 30, 2025

Summary

  • Add support for playing audio files directly from Discord message attachments
  • Implement secure file handling with validation (50MB size limit, audio/video content types only)
  • Use tempfile for secure temporary file creation (prevents path traversal)
  • Replace all .unwrap() calls with proper error handling to prevent panics
  • Handle missing metadata gracefully in queue display and now-playing embed

Changes

  • New file: src/sources/file.rs - Secure file download and playback implementation
  • Updated: /play command now accepts an optional attachment parameter
  • Fixed: Queue and now-playing displays handle tracks without thumbnails/URLs
  • Added: FileTooLarge and UnsupportedFileType error types

Security Improvements

The original PR #244 had several security issues that have been addressed:

  • Path traversal vulnerability → Fixed with tempfile::NamedTempFile
  • No file size limits → Added 50MB max file size
  • No content type validation → Added allowlist for audio/video types
  • Panic points from .unwrap() → Replaced with proper error handling

Test Plan

  • Test /play with a valid audio attachment (mp3, wav, ogg)
  • Test /play with a file exceeding 50MB (should show error)
  • Test /play with an unsupported file type (should show error)
  • Test /play with both query and attachment (query should take precedence)
  • Verify queue display works correctly for attached files
  • Test seek functionality on attached files

Credits

Based on work from PR #244 by @cycle-five

@afonsojramos afonsojramos force-pushed the feat/attachments-play branch 2 times, most recently from 790677f to d34f24c Compare December 30, 2025 16:10
@afonsojramos afonsojramos mentioned this pull request Dec 30, 2025
Closed
afonsojramos and others added 7 commits December 31, 2025 03:04
@afonsojramos @cycle-five
feat: add secure file attachment playback support
efda7c8 
Implement secure audio file playback from Discord attachments:
- Add file validation with 50MB size limit
- Validate content types (audio/*, video/mp4, video/webm, video/ogg)
- Use tempfile for secure temporary file handling
- Implement FileRestartable for seekable file playback
- Use ffprobe for metadata extraction

Co-authored-by: cycle-five <cycle.five@proton.me>
@afonsojramos @cycle-five
chore: add dependencies for file attachment support
241435c 
Add ffprobe, reqwest, and tempfile crates:
- ffprobe: extract audio file metadata
- reqwest: download attachment files
- tempfile: secure temporary file creation

Co-authored-by: cycle-five <cycle.five@proton.me>
@afonsojramos @cycle-five
feat: add error types for file validation
f192d74 
Add FileTooLarge and UnsupportedFileType error variants with
corresponding user-facing messages for attachment validation.

Co-authored-by: cycle-five <cycle.five@proton.me>
@afonsojramos @cycle-five
feat: integrate attachment option in play command
8fd3f47 
- Add QueryType::File variant for attachment playback
- Update play command to accept optional attachment parameter
- Make query parameter optional when attachment is provided
- Handle File variant in all play modes (End, Next, Jump, etc.)

Co-authored-by: cycle-five <cycle.five@proton.me>
@afonsojramos
fix: handle missing metadata gracefully
f55c4ec 
- Replace unwrap() calls with safe fallbacks in queue display
- Fix get_footer_info to handle invalid URLs
- Fix create_now_playing_embed for tracks without thumbnails
- Add QUEUE_NO_TITLE and QUEUE_NO_SRC fallback constants
@afonsojramos
fix: address clippy warnings and formatting
dd8e8d0 
- Fix unnecessary borrows for generic args in queue.rs and remove.rs
- Add clippy::result_large_err allows for existing code patterns
- Fix zombie_processes warning in youtube.rs by calling wait()
- Use std::io::Error::other() instead of new() with ErrorKind::Other
- Fix double_ended_iterator_last warning
- Remove unnecessary cast in file size check
@afonsojramos
refactor: box SerenityError to reduce ParrotError size
95c2ee4 
Reduces ParrotError from 136 bytes to 56 bytes by boxing SerenityError,
eliminating the need for #[allow(clippy::result_large_err)] annotations.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@afonsojramos