Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avatar Proxy allows requesting any resource from literally every origin #1013

Closed
1 task done
rflrkn opened this issue Oct 16, 2024 · 3 comments · Fixed by #1016
Closed
1 task done

Avatar Proxy allows requesting any resource from literally every origin #1013

rflrkn opened this issue Oct 16, 2024 · 3 comments · Fixed by #1016
Labels
awaiting triage This issue needs to be reviewed bug Something isn't working released

Comments

@rflrkn
Copy link

rflrkn commented Oct 16, 2024
edited
Loading

Description

I just noticed that the avatar proxy allows proxying/loading literally any request - no matter the original ressource's origin or filetype.

Version

2.0.0

Steps to Reproduce

Try requesting (e. g.):
https://{YOUR-JELLYSEER-HOST}/avatarproxy/https://ash-speed.hetzner.com/100MB.bin

Screenshots

No response

Logs

No response

Platform

desktop

Device

MacBook Pro (doesn't matter tho)

Operating System

macOS 15.0.1

Browser

Zen Browser (Firefox)

Additional Context

The avatar proxy should only allow loading ressources from the configured Jellyfin host (or it's external URL) and maybe also check MIME types

Code of Conduct

  • I agree to follow Jellyseerr's Code of Conduct
@rflrkn rflrkn added awaiting triage This issue needs to be reviewed bug Something isn't working labels Oct 16, 2024
@kokojako
Copy link

Hi, same as #1012

@gauthier-th
Copy link
Collaborator

Hi, yep I'm fixing it. A patch will be available very soon

gauthier-th added a commit that referenced this issue Oct 16, 2024
@gauthier-th
fix: rewrite avatarproxy and CachedImage
27d7371 
Avatar proxy was allowing every request to be proxied, no matter the original ressource's origin or
filetype. This PR fixes it be allowing only relevant resources to be cached, i.e. Jellyfin/Emby
images and TMDB images.

fix #1012, #1013
@gauthier-th gauthier-th mentioned this issue Oct 16, 2024
Merged
3 tasks
Fallenbagel pushed a commit that referenced this issue Oct 17, 2024
@gauthier-th
fix: rewrite avatarproxy and CachedImage (#1016)
4e48fdf 
* fix: rewrite avatarproxy and CachedImage

Avatar proxy was allowing every request to be proxied, no matter the original ressource's origin or
filetype. This PR fixes it be allowing only relevant resources to be cached, i.e. Jellyfin/Emby
images and TMDB images.

fix #1012, #1013

* fix: resolve CodeQL error

* fix: resolve CodeQL error

* fix: resolve review comments

* fix: resolve review comment

* fix: resolve CodeQL error

* fix: update imageproxy path
@Fallenbagel
Copy link
Owner

🎉 This issue has been resolved in version 2.0.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

bonswouar pushed a commit to bonswouar/jellyseerr that referenced this issue Nov 10, 2024
@gauthier-th @bonswouar
fix: rewrite avatarproxy and CachedImage (Fallenbagel#1016)
a3e5536 
* fix: rewrite avatarproxy and CachedImage

Avatar proxy was allowing every request to be proxied, no matter the original ressource's origin or
filetype. This PR fixes it be allowing only relevant resources to be cached, i.e. Jellyfin/Emby
images and TMDB images.

fix Fallenbagel#1012, Fallenbagel#1013

* fix: resolve CodeQL error

* fix: resolve CodeQL error

* fix: resolve review comments

* fix: resolve review comment

* fix: resolve CodeQL error

* fix: update imageproxy path
thibodelanghe pushed a commit to thibodelanghe/jellyseerr that referenced this issue Dec 18, 2024
@gauthier-th @thibodelanghe
fix: rewrite avatarproxy and CachedImage (Fallenbagel#1016)
f94475c 
* fix: rewrite avatarproxy and CachedImage

Avatar proxy was allowing every request to be proxied, no matter the original ressource's origin or
filetype. This PR fixes it be allowing only relevant resources to be cached, i.e. Jellyfin/Emby
images and TMDB images.

fix Fallenbagel#1012, Fallenbagel#1013

* fix: resolve CodeQL error

* fix: resolve CodeQL error

* fix: resolve review comments

* fix: resolve review comment

* fix: resolve CodeQL error

* fix: update imageproxy path
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
awaiting triage This issue needs to be reviewed bug Something isn't working released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: rewrite avatarproxy and CachedImage Fallenbagel/jellyseerr
4 participants
@rflrkn @gauthier-th @kokojako @Fallenbagel