joshpatra/allstarr
1
0
Fork 0
mirror of https://github.com/SoPat712/allstarr.git synced 2026-02-09 23:55:10 -05:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Add security blocklist for dangerous admin endpoints

Browse Source 
- Block system restart/shutdown endpoints
- Block system configuration changes
- Block plugin management (install/uninstall/configure)
- Block scheduled task management
- Block server startup/setup endpoints
- Block user creation endpoint
- Block library management (refresh, virtual folders)
- Block server logs and activity log access
- Log blocked attempts with IP address for security monitoring
- Returns 403 Forbidden with descriptive error message

This maintains client compatibility via catch-all proxy while preventing
unauthorized access to administrative functions.
This commit is contained in:
Josh Patra
2026-02-01 11:48:45 -05:00
parent 24df910ffa
commit 76f633afce
1 changed files with 34 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
allstarr/Controllers/JellyfinController.cs
View File

@@ -1662,6 +1662,7 @@ public class JellyfinController : ControllerBase
/// <summary> /// <summary>
/// Catch-all endpoint that proxies unhandled requests to Jellyfin transparently. /// Catch-all endpoint that proxies unhandled requests to Jellyfin transparently.
/// This route has the lowest priority and should only match requests that don't have SearchTerm. /// This route has the lowest priority and should only match requests that don't have SearchTerm.
/// Blocks dangerous admin endpoints for security.
/// </summary> /// </summary>
[HttpGet("{**path}", Order = 100)] [HttpGet("{**path}", Order = 100)]
[HttpPost("{**path}", Order = 100)] [HttpPost("{**path}", Order = 100)]
@@ -1670,6 +1671,39 @@ public class JellyfinController : ControllerBase
// DEBUG: Log EVERY request to see what's happening // DEBUG: Log EVERY request to see what's happening
_logger.LogWarning("ProxyRequest called with path: {Path}", path); _logger.LogWarning("ProxyRequest called with path: {Path}", path);
// Block dangerous admin endpoints
var blockedPrefixes = new[]
{
"system/restart", // Server restart
"system/shutdown", // Server shutdown
"system/configuration", // System configuration changes
"system/logs", // Server logs access
"system/activitylog", // Activity log access
"plugins/", // Plugin management (install/uninstall/configure)
"scheduledtasks/", // Scheduled task management
"startup/", // Initial server setup
"users/new", // User creation
"library/refresh", // Library scan (expensive operation)
"library/virtualfolders", // Library folder management
"branding/", // Branding configuration
"displaypreferences/", // Display preferences (if not user-specific)
"notifications/admin" // Admin notifications
};
// Check if path matches any blocked prefix
if (blockedPrefixes.Any(prefix =>
path.StartsWith(prefix, StringComparison.OrdinalIgnoreCase)))
{
_logger.LogWarning("BLOCKED: Access denied to admin endpoint: {Path} from {IP}",
path,
HttpContext.Connection.RemoteIpAddress);
return StatusCode(403, new
{
error = "Access to administrative endpoints is not allowed through this proxy",
path = path
});
}
// Intercept Spotify playlist requests by ID // Intercept Spotify playlist requests by ID
if (_spotifySettings.Enabled && if (_spotifySettings.Enabled &&
path.StartsWith("playlists/", StringComparison.OrdinalIgnoreCase) && path.StartsWith("playlists/", StringComparison.OrdinalIgnoreCase) &&