8x48/homepage
1
0
Fork 0
mirror of https://github.com/gethomepage/homepage.git synced 2026-01-11 19:42:09 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Merge pull request from GHSA-24m5-7vjx-9x37

Browse Source 
* Restrict emby endpoints and proxy segments

* Dont allow path traversal in segments

* Restrict qbittorrent proxy endpoints

* Restrict npm proxy endpoints

* Restrict flood proxy endpoints

* Restrict tdarr proxy endpoints

* Restrict xteve proxy endpoints

* Restrict transmission proxy endpoints

* disallow non-mapped endpoints

this change drops all requests that have un-mapped endpoint queries

allowedEndpoints is added as a method to pass proxy requests via a regex on the endpoint

most widgets with custom proxies use either no endpoint, or a static one

Co-Authored-By: Ben Phelps <ben@phelps.io>
This commit is contained in:
shamoon
2024-06-02 20:11:03 -07:00
parent 8823b04291
commit b3cf985d4a
22 changed files with 78 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/widgets/xteve/proxy.js
View File

@@ -7,7 +7,7 @@ import getServiceWidget from "utils/config/service-helpers";
const logger = createLogger("xteveProxyHandler");
export default async function xteveProxyHandler(req, res) {
const { group, service, endpoint } = req.query;
const { group, service } = req.query;
if (!group || !service) {
return res.status(400).json({ error: "Invalid proxy service type" });
@@ -19,7 +19,7 @@ export default async function xteveProxyHandler(req, res) {
return res.status(403).json({ error: "Service does not support API calls" });
}
const url = formatApiCall(api, { endpoint, ...widget });
const url = formatApiCall(api, { endpoint: "api/", ...widget });
const method = "POST";
const payload = { cmd: "status" };