Update:Remove local cover path input & replace with url from web input, include SSRF request filter

2025-12-22 19:59:37 +00:00 · 2023-10-13 16:33:47 -05:00 · 2023-10-13 16:33:47 -05:00 · 290a377ef9
commit 290a377ef9
parent 05731c9f72
20 changed files with 117 additions and 66 deletions
--- a/server/controllers/LibraryItemController.js
+++ b/server/controllers/LibraryItemController.js
@ -182,22 +182,22 @@ class LibraryItemController {
      return res.sendStatus(403)
    }

-    var libraryItem = req.libraryItem
+    let libraryItem = req.libraryItem

-    var result = null
-    if (req.body && req.body.url) {
+    let result = null
+    if (req.body?.url) {
      Logger.debug(`[LibraryItemController] Requesting download cover from url "${req.body.url}"`)
      result = await CoverManager.downloadCoverFromUrl(libraryItem, req.body.url)
-    } else if (req.files && req.files.cover) {
+    } else if (req.files?.cover) {
      Logger.debug(`[LibraryItemController] Handling uploaded cover`)
      result = await CoverManager.uploadCover(libraryItem, req.files.cover)
    } else {
      return res.status(400).send('Invalid request no file or url')
    }

-    if (result && result.error) {
+    if (result?.error) {
      return res.status(400).send(result.error)
-    } else if (!result || !result.cover) {
+    } else if (!result?.cover) {
      return res.status(500).send('Unknown error occurred')
    }

--- a/server/managers/CoverManager.js
+++ b/server/managers/CoverManager.js
@ -120,13 +120,16 @@ class CoverManager {
      await fs.ensureDir(coverDirPath)

      var temppath = Path.posix.join(coverDirPath, 'cover')
-      var success = await downloadFile(url, temppath).then(() => true).catch((err) => {
-        Logger.error(`[CoverManager] Download image file failed for "${url}"`, err)
+
+      let errorMsg = ''
+      let success = await downloadFile(url, temppath).then(() => true).catch((err) => {
+        errorMsg = err.message || 'Unknown error'
+        Logger.error(`[CoverManager] Download image file failed for "${url}"`, errorMsg)
        return false
      })
      if (!success) {
        return {
-          error: 'Failed to download image from url'
+          error: 'Failed to download image from url: ' + errorMsg
        }
      }

--- a/server/utils/fileUtils.js
+++ b/server/utils/fileUtils.js
@ -1,7 +1,8 @@
-const fs = require('../libs/fsExtra')
-const rra = require('../libs/recursiveReaddirAsync')
 const axios = require('axios')
 const Path = require('path')
+const ssrfFilter = require('ssrf-req-filter')
+const fs = require('../libs/fsExtra')
+const rra = require('../libs/recursiveReaddirAsync')
 const Logger = require('../Logger')
 const { AudioMimeType } = require('./constants')

@ -210,7 +211,9 @@ module.exports.downloadFile = (url, filepath) => {
      url,
      method: 'GET',
      responseType: 'stream',
-      timeout: 30000
+      timeout: 30000,
+      httpAgent: ssrfFilter(url),
+      httpsAgent: ssrfFilter(url)
    }).then((response) => {
      const writer = fs.createWriteStream(filepath)
      response.data.pipe(writer)