From 14fdd4e2934eeb0aa2ec7bab365cd9b5fd9b1b4a Mon Sep 17 00:00:00 2001
From: JoaquinOlivero <joaquin.olivero@hotmail.com>
Date: Tue, 27 Aug 2024 22:04:26 +0000
Subject: [PATCH] fix: fix vulnerability

---
 server/routes/auth.ts        | 8 ++++----
 server/routes/avatarproxy.ts | 2 +-
 server/routes/user/index.ts  | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/server/routes/auth.ts b/server/routes/auth.ts
index 14ede058f..980214d28 100644
--- a/server/routes/auth.ts
+++ b/server/routes/auth.ts
@@ -345,7 +345,7 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
           });
 
           if (
-            user.avatar.includes('https://gravatar.com') &&
+            user.avatar.startsWith('https://gravatar.com') &&
             user.avatar.includes('default=mm&size=200')
           ) {
             user.avatar = 'https://gravatar.com/avatar/?default=mm&size=200';
@@ -371,7 +371,7 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
           });
 
           if (
-            user.avatar.includes('https://gravatar.com') &&
+            user.avatar.startsWith('https://gravatar.com') &&
             user.avatar.includes('default=mm&size=200')
           ) {
             user.avatar = 'https://gravatar.com/avatar/?default=mm&size=200';
@@ -437,7 +437,7 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
         });
 
         if (
-          avatar.includes('https://gravatar.com') &&
+          avatar.startsWith('https://gravatar.com') &&
           avatar.includes('default=mm&size=200')
         ) {
           avatar = 'https://gravatar.com/avatar/?default=mm&size=200';
@@ -500,7 +500,7 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
       });
 
       if (
-        user.avatar.includes('https://gravatar.com') &&
+        user.avatar.startsWith('https://gravatar.com') &&
         user.avatar.includes('default=mm&size=200')
       ) {
         user.avatar = 'https://gravatar.com/avatar/?default=mm&size=200';
diff --git a/server/routes/avatarproxy.ts b/server/routes/avatarproxy.ts
index e6f5c2ee0..6c2d3f10d 100644
--- a/server/routes/avatarproxy.ts
+++ b/server/routes/avatarproxy.ts
@@ -11,7 +11,7 @@ router.get('/*', async (req, res) => {
 
   try {
     if (
-      imagePath.includes('https://gravatar.com') &&
+      imagePath.startsWith('https://gravatar.com') &&
       imagePath.includes('default=mm&size=200')
     ) {
       imagePath = 'https://gravatar.com/avatar/?default=mm&size=200';
diff --git a/server/routes/user/index.ts b/server/routes/user/index.ts
index 3296aff73..f999575f3 100644
--- a/server/routes/user/index.ts
+++ b/server/routes/user/index.ts
@@ -125,7 +125,7 @@ router.post(
       let avatar = gravatarUrl(email, { default: 'mm', size: 200 });
 
       if (
-        avatar.includes('https://gravatar.com') &&
+        avatar.startsWith('https://gravatar.com') &&
         avatar.includes('default=mm&size=200')
       ) {
         avatar = 'https://gravatar.com/avatar/?default=mm&size=200';
@@ -565,7 +565,7 @@ router.post(
           });
 
           if (
-            newUser.avatar.includes('https://gravatar.com') &&
+            newUser.avatar.startsWith('https://gravatar.com') &&
             newUser.avatar.includes('default=mm&size=200')
           ) {
             newUser.avatar = 'https://gravatar.com/avatar/?default=mm&size=200';