Merge pull request from GHSA-24m5-7vjx-9x37

* Restrict emby endpoints and proxy segments * Dont allow path traversal in segments * Restrict qbittorrent proxy endpoints * Restrict npm proxy endpoints * Restrict flood proxy endpoints * Restrict tdarr proxy endpoints * Restrict xteve proxy endpoints * Restrict transmission proxy endpoints * disallow non-mapped endpoints this change drops all requests that have un-mapped endpoint queries allowedEndpoints is added as a method to pass proxy requests via a regex on the endpoint most widgets with custom proxies use either no endpoint, or a static one Co-Authored-By: Ben Phelps <ben@phelps.io>
2025-12-07 09:35:54 -08:00 · 2024-06-02 20:11:03 -07:00
parent 8823b04291
commit 52cce0ee21
22 changed files with 79 additions and 35 deletions
--- a/src/widgets/transmission/proxy.js
+++ b/src/widgets/transmission/proxy.js
@@ -11,7 +11,7 @@ const headerCacheKey = `${proxyName}__headers`;
 const logger = createLogger(proxyName);

 export default async function transmissionProxyHandler(req, res) {
-  const { group, service, endpoint } = req.query;
+  const { group, service } = req.query;

  if (!group || !service) {
    logger.debug("Invalid or missing service '%s' or group '%s'", service, group);
@@ -35,7 +35,7 @@ export default async function transmissionProxyHandler(req, res) {

  const api = `${widget.url}${widget.rpcUrl || widgets[widget.type].rpcUrl}rpc`;

-  const url = new URL(formatApiCall(api, { endpoint, ...widget }));
+  const url = new URL(formatApiCall(api, { endpoint: undefined, ...widget }));
  const csrfHeaderName = "x-transmission-session-id";

  const method = "POST";