Merge pull request from GHSA-24m5-7vjx-9x37

* Restrict emby endpoints and proxy segments

* Dont allow path traversal in segments

* Restrict qbittorrent proxy endpoints

* Restrict npm proxy endpoints

* Restrict flood proxy endpoints

* Restrict tdarr proxy endpoints

* Restrict xteve proxy endpoints

* Restrict transmission proxy endpoints

* disallow non-mapped endpoints

this change drops all requests that have un-mapped endpoint queries

allowedEndpoints is added as a method to pass proxy requests via a regex on the endpoint

most widgets with custom proxies use either no endpoint, or a static one

Co-Authored-By: Ben Phelps <ben@phelps.io>

src/utils/proxy/api-helpers.js

@@ -8,22 +8,16 @@ export function formatApiCall(url, args) {
   return url.replace(/\/+$/, "").replace(find, replace).replace(find, replace);
 }
 
-function getURLSearchParams(widget, endpoint) {
+export function getURLSearchParams(widget, endpoint) {
   const params = new URLSearchParams({
     type: widget.type,
     group: widget.service_group,
     service: widget.service_name,
-    endpoint,
   });
-  return params;
-}
-
-export function formatProxyUrlWithSegments(widget, endpoint, segments) {
-  const params = getURLSearchParams(widget, endpoint);
-  if (segments) {
-    params.append("segments", JSON.stringify(segments));
+  if (endpoint) {
+    params.append("endpoint", endpoint);
   }
-  return `/api/services/proxy?${params.toString()}`;
+  return params;
 }
 
 export function formatProxyUrl(widget, endpoint, queryParams) {
@@ -59,6 +53,7 @@ export function sanitizeErrorURL(errorURL) {
   const url = new URL(errorURL);
   ["apikey", "api_key", "token", "t", "access_token", "auth"].forEach((key) => {
     if (url.searchParams.has(key)) url.searchParams.set(key, "***");
+    if (url.hash.includes(key)) url.hash = url.hash.replace(new RegExp(`${key}=[^&]+`), `${key}=***`);
   });
   return url.toString();
 }