Add security blocklist for dangerous admin endpoints

- Block system restart/shutdown endpoints - Block system configuration changes - Block plugin management (install/uninstall/configure) - Block scheduled task management - Block server startup/setup endpoints - Block user creation endpoint - Block library management (refresh, virtual folders) - Block server logs and activity log access - Log blocked attempts with IP address for security monitoring - Returns 403 Forbidden with descriptive error message This maintains client compatibility via catch-all proxy while preventing unauthorized access to administrative functions.
2026-02-09 23:55:10 -05:00 · 2026-02-01 11:48:45 -05:00
parent 24df910ffa
commit 76f633afce
1 changed files with 34 additions and 0 deletions
--- a/allstarr/Controllers/JellyfinController.cs
+++ b/allstarr/Controllers/JellyfinController.cs
@@ -1662,6 +1662,7 @@ public class JellyfinController : ControllerBase
    /// <summary>
    /// Catch-all endpoint that proxies unhandled requests to Jellyfin transparently.
    /// This route has the lowest priority and should only match requests that don't have SearchTerm.
+    /// Blocks dangerous admin endpoints for security.
    /// </summary>
    [HttpGet("{**path}", Order = 100)]
    [HttpPost("{**path}", Order = 100)]
@@ -1670,6 +1671,39 @@ public class JellyfinController : ControllerBase
        // DEBUG: Log EVERY request to see what's happening
        _logger.LogWarning("ProxyRequest called with path: {Path}", path);
        
+        // Block dangerous admin endpoints
+        var blockedPrefixes = new[]
+        {
+            "system/restart",           // Server restart
+            "system/shutdown",          // Server shutdown
+            "system/configuration",     // System configuration changes
+            "system/logs",              // Server logs access
+            "system/activitylog",       // Activity log access
+            "plugins/",                 // Plugin management (install/uninstall/configure)
+            "scheduledtasks/",          // Scheduled task management
+            "startup/",                 // Initial server setup
+            "users/new",                // User creation
+            "library/refresh",          // Library scan (expensive operation)
+            "library/virtualfolders",   // Library folder management
+            "branding/",                // Branding configuration
+            "displaypreferences/",      // Display preferences (if not user-specific)
+            "notifications/admin"       // Admin notifications
+        };
+        
+        // Check if path matches any blocked prefix
+        if (blockedPrefixes.Any(prefix => 
+            path.StartsWith(prefix, StringComparison.OrdinalIgnoreCase)))
+        {
+            _logger.LogWarning("BLOCKED: Access denied to admin endpoint: {Path} from {IP}", 
+                path, 
+                HttpContext.Connection.RemoteIpAddress);
+            return StatusCode(403, new 
+            { 
+                error = "Access to administrative endpoints is not allowed through this proxy",
+                path = path
+            });
+        }
+        
        // Intercept Spotify playlist requests by ID
        if (_spotifySettings.Enabled && 
            path.StartsWith("playlists/", StringComparison.OrdinalIgnoreCase) &&