8x48/homepage
1
0
Fork 0
mirror of https://github.com/gethomepage/homepage.git synced 2026-01-14 05:02:09 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request from GHSA-24m5-7vjx-9x37

Browse Source 
* Restrict emby endpoints and proxy segments

* Dont allow path traversal in segments

* Restrict qbittorrent proxy endpoints

* Restrict npm proxy endpoints

* Restrict flood proxy endpoints

* Restrict tdarr proxy endpoints

* Restrict xteve proxy endpoints

* Restrict transmission proxy endpoints

* disallow non-mapped endpoints

this change drops all requests that have un-mapped endpoint queries

allowedEndpoints is added as a method to pass proxy requests via a regex on the endpoint

most widgets with custom proxies use either no endpoint, or a static one

Co-Authored-By: Ben Phelps <ben@phelps.io>
This commit is contained in:
shamoon
2024-06-02 20:11:03 -07:00
parent 8823b04291
commit 52cce0ee21
22 changed files with 79 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/widgets/xteve/component.jsx
View File

@@ -9,7 +9,7 @@ export default function Component({ service }) {
const { widget } = service;
const { data: xteveData, error: xteveError } = useWidgetAPI(widget, "api");
const { data: xteveData, error: xteveError } = useWidgetAPI(widget);
if (xteveError) {
return <Container service={service} error={xteveError} />;

4
src/widgets/xteve/proxy.js
View File

@@ -7,7 +7,7 @@ import getServiceWidget from "utils/config/service-helpers";
const logger = createLogger("xteveProxyHandler");
export default async function xteveProxyHandler(req, res) {
const { group, service, endpoint } = req.query;
const { group, service } = req.query;
if (!group || !service) {
return res.status(400).json({ error: "Invalid proxy service type" });
@@ -19,7 +19,7 @@ export default async function xteveProxyHandler(req, res) {
return res.status(403).json({ error: "Service does not support API calls" });
}
const url = formatApiCall(api, { endpoint, ...widget });
const url = formatApiCall(api, { endpoint: "api/", ...widget });
const method = "POST";
const payload = { cmd: "status" };

6
src/widgets/xteve/widget.js
View File

@@ -3,12 +3,6 @@ import xteveProxyHandler from "./proxy";
const widget = {
api: "{url}/{endpoint}",
proxyHandler: xteveProxyHandler,
mappings: {
api: {
endpoint: "api/",
},
},
};
export default widget;