dominik/homepage-plus
1
0
Fork 0
mirror of https://github.com/DI0IK/homepage-plus.git synced 2025-07-19 11:09:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request from GHSA-24m5-7vjx-9x37

Browse source 
* Restrict emby endpoints and proxy segments

* Dont allow path traversal in segments

* Restrict qbittorrent proxy endpoints

* Restrict npm proxy endpoints

* Restrict flood proxy endpoints

* Restrict tdarr proxy endpoints

* Restrict xteve proxy endpoints

* Restrict transmission proxy endpoints

* disallow non-mapped endpoints

this change drops all requests that have un-mapped endpoint queries

allowedEndpoints is added as a method to pass proxy requests via a regex on the endpoint

most widgets with custom proxies use either no endpoint, or a static one

Co-Authored-By: Ben Phelps <ben@phelps.io>
This commit is contained in:
shamoon 2024-06-02 20:11:03 -07:00
parent 8823b04291
commit b3cf985d4a
22 changed files with 78 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/widgets/tdarr/proxy.js
View file

@ -8,7 +8,7 @@ const proxyName = "tdarrProxyHandler";
const logger = createLogger(proxyName);
export default async function tdarrProxyHandler(req, res) {
const { group, service, endpoint } = req.query;
const { group, service } = req.query;
if (!group || !service) {
logger.debug("Invalid or missing service '%s' or group '%s'", service, group);
@ -22,7 +22,7 @@ export default async function tdarrProxyHandler(req, res) {
return res.status(400).json({ error: "Invalid proxy service type" });
}
const url = new URL(formatApiCall(widgets[widget.type].api, { endpoint, ...widget }));
const url = new URL(formatApiCall(widgets[widget.type].api, { endpoint: undefined, ...widget }));
const [status, contentType, data] = await httpProxy(url, {
method: "POST",