Merge pull request from GHSA-24m5-7vjx-9x37

* Restrict emby endpoints and proxy segments * Dont allow path traversal in segments * Restrict qbittorrent proxy endpoints * Restrict npm proxy endpoints * Restrict flood proxy endpoints * Restrict tdarr proxy endpoints * Restrict xteve proxy endpoints * Restrict transmission proxy endpoints * disallow non-mapped endpoints this change drops all requests that have un-mapped endpoint queries allowedEndpoints is added as a method to pass proxy requests via a regex on the endpoint most widgets with custom proxies use either no endpoint, or a static one Co-Authored-By: Ben Phelps <ben@phelps.io>
2025-07-20 19:49:49 +00:00 · 2024-06-02 20:11:03 -07:00 · 2024-06-02 20:11:03 -07:00 · 52cce0ee21
commit 52cce0ee21
parent 8823b04291
22 changed files with 79 additions and 35 deletions
--- a/src/widgets/emby/component.jsx
+++ b/src/widgets/emby/component.jsx
@ -4,7 +4,7 @@ import { MdOutlineSmartDisplay } from "react-icons/md";

 import Block from "components/services/widget/block";
 import Container from "components/services/widget/container";
-import { formatProxyUrlWithSegments } from "utils/proxy/api-helpers";
+import { getURLSearchParams } from "utils/proxy/api-helpers";
 import useWidgetAPI from "utils/proxy/use-widget-api";

 function ticksToTime(ticks) {
@ -217,10 +217,14 @@ export default function Component({ service }) {
  });

  async function handlePlayCommand(session, command) {
-    const url = formatProxyUrlWithSegments(widget, "PlayControl", {
-      sessionId: session.Id,
-      command,
-    });
+    const params = getURLSearchParams(widget, command);
+    params.append(
+      "segments",
+      JSON.stringify({
+        sessionId: session.Id,
+      }),
+    );
+    const url = `/api/services/proxy?${params.toString()}`;
    await fetch(url).then(() => {
      sessionMutate();
    });
--- a/src/widgets/emby/widget.js
+++ b/src/widgets/emby/widget.js
@ -10,12 +10,16 @@ const widget = {
    },
    Count: {
      endpoint: "Items/Counts",
-      segments: ["MovieCount", "SeriesCount", "EpisodeCount", "SongCount"],
    },
-    PlayControl: {
+    Unpause: {
      method: "POST",
-      endpoint: "Sessions/{sessionId}/Playing/{command}",
-      segments: ["sessionId", "command"],
+      endpoint: "Sessions/{sessionId}/Playing/Unpause",
+      segments: ["sessionId"],
+    },
+    Pause: {
+      method: "POST",
+      endpoint: "Sessions/{sessionId}/Playing/Pause",
+      segments: ["sessionId"],
    },
  },
 };