From 76f633afce47bc69c683ea395fbcf309de98702e Mon Sep 17 00:00:00 2001 From: Josh Patra Date: Sun, 1 Feb 2026 11:48:45 -0500 Subject: [PATCH] Add security blocklist for dangerous admin endpoints - Block system restart/shutdown endpoints - Block system configuration changes - Block plugin management (install/uninstall/configure) - Block scheduled task management - Block server startup/setup endpoints - Block user creation endpoint - Block library management (refresh, virtual folders) - Block server logs and activity log access - Log blocked attempts with IP address for security monitoring - Returns 403 Forbidden with descriptive error message This maintains client compatibility via catch-all proxy while preventing unauthorized access to administrative functions. --- allstarr/Controllers/JellyfinController.cs | 34 ++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/allstarr/Controllers/JellyfinController.cs b/allstarr/Controllers/JellyfinController.cs index b5f0876..e0a8b23 100644 --- a/allstarr/Controllers/JellyfinController.cs +++ b/allstarr/Controllers/JellyfinController.cs @@ -1662,6 +1662,7 @@ public class JellyfinController : ControllerBase /// /// Catch-all endpoint that proxies unhandled requests to Jellyfin transparently. /// This route has the lowest priority and should only match requests that don't have SearchTerm. + /// Blocks dangerous admin endpoints for security. /// [HttpGet("{**path}", Order = 100)] [HttpPost("{**path}", Order = 100)] @@ -1670,6 +1671,39 @@ public class JellyfinController : ControllerBase // DEBUG: Log EVERY request to see what's happening _logger.LogWarning("ProxyRequest called with path: {Path}", path); + // Block dangerous admin endpoints + var blockedPrefixes = new[] + { + "system/restart", // Server restart + "system/shutdown", // Server shutdown + "system/configuration", // System configuration changes + "system/logs", // Server logs access + "system/activitylog", // Activity log access + "plugins/", // Plugin management (install/uninstall/configure) + "scheduledtasks/", // Scheduled task management + "startup/", // Initial server setup + "users/new", // User creation + "library/refresh", // Library scan (expensive operation) + "library/virtualfolders", // Library folder management + "branding/", // Branding configuration + "displaypreferences/", // Display preferences (if not user-specific) + "notifications/admin" // Admin notifications + }; + + // Check if path matches any blocked prefix + if (blockedPrefixes.Any(prefix => + path.StartsWith(prefix, StringComparison.OrdinalIgnoreCase))) + { + _logger.LogWarning("BLOCKED: Access denied to admin endpoint: {Path} from {IP}", + path, + HttpContext.Connection.RemoteIpAddress); + return StatusCode(403, new + { + error = "Access to administrative endpoints is not allowed through this proxy", + path = path + }); + } + // Intercept Spotify playlist requests by ID if (_spotifySettings.Enabled && path.StartsWith("playlists/", StringComparison.OrdinalIgnoreCase) &&