Merge pull request from GHSA-24m5-7vjx-9x37

* Restrict emby endpoints and proxy segments * Dont allow path traversal in segments * Restrict qbittorrent proxy endpoints * Restrict npm proxy endpoints * Restrict flood proxy endpoints * Restrict tdarr proxy endpoints * Restrict xteve proxy endpoints * Restrict transmission proxy endpoints * disallow non-mapped endpoints this change drops all requests that have un-mapped endpoint queries allowedEndpoints is added as a method to pass proxy requests via a regex on the endpoint most widgets with custom proxies use either no endpoint, or a static one Co-Authored-By: Ben Phelps <ben@phelps.io>
2025-07-18 18:49:50 +00:00 · 2024-06-02 20:11:03 -07:00 · 2024-06-02 20:11:03 -07:00 · 52cce0ee21
commit 52cce0ee21
parent 8823b04291
22 changed files with 79 additions and 35 deletions
--- a/src/widgets/glances/widget.js
+++ b/src/widgets/glances/widget.js
@ -3,6 +3,7 @@ import credentialedProxyHandler from "utils/proxy/handlers/credentialed";
 const widget = {
  api: "{url}/api/{endpoint}",
  proxyHandler: credentialedProxyHandler,
+  allowedEndpoints: /\d\/quicklook|diskio|fs|gpu|system|mem|network|processlist|sensors/,
 };

 export default widget;