Merge pull request from GHSA-24m5-7vjx-9x37

* Restrict emby endpoints and proxy segments * Dont allow path traversal in segments * Restrict qbittorrent proxy endpoints * Restrict npm proxy endpoints * Restrict flood proxy endpoints * Restrict tdarr proxy endpoints * Restrict xteve proxy endpoints * Restrict transmission proxy endpoints * disallow non-mapped endpoints this change drops all requests that have un-mapped endpoint queries allowedEndpoints is added as a method to pass proxy requests via a regex on the endpoint most widgets with custom proxies use either no endpoint, or a static one Co-Authored-By: Ben Phelps <ben@phelps.io>
2025-07-19 02:59:50 +00:00 · 2024-06-02 20:11:03 -07:00 · 2024-06-02 20:11:03 -07:00 · b3cf985d4a
commit b3cf985d4a
parent 8823b04291
22 changed files with 78 additions and 35 deletions
--- a/src/widgets/npm/component.jsx
+++ b/src/widgets/npm/component.jsx
@ -5,7 +5,7 @@ import useWidgetAPI from "utils/proxy/use-widget-api";
 export default function Component({ service }) {
  const { widget } = service;

-  const { data: infoData, error: infoError } = useWidgetAPI(widget, "nginx/proxy-hosts");
+  const { data: infoData, error: infoError } = useWidgetAPI(widget, "hosts");

  if (infoError) {
    return <Container service={service} error={infoError} />;
--- a/src/widgets/npm/widget.js
+++ b/src/widgets/npm/widget.js
@ -3,6 +3,12 @@ import npmProxyHandler from "./proxy";
 const widget = {
  api: "{url}/api/{endpoint}",
  proxyHandler: npmProxyHandler,
+
+  mappings: {
+    hosts: {
+      endpoint: "nginx/proxy-hosts",
+    },
+  },
 };

 export default widget;