fix: mitigate remote property injection vulnerabilities in CoverArtArchive

2025-12-24 02:39:18 -05:00 · 2025-03-13 11:38:23 +01:00
parent 1de60a6743
commit 3315d9d2d9
1 changed files with 13 additions and 24 deletions
--- a/server/api/coverartarchive/index.ts
+++ b/server/api/coverartarchive/index.ts
@@ -160,6 +160,9 @@ class CoverArtArchive extends ExternalAPI {

    if (!validIds.length) return {};

+    const resultsMap = new Map<string, string | null>();
+    const idsToFetch: string[] = [];
+
    const metadataRepository = getRepository(MetadataAlbum);
    const existingMetadata = await metadataRepository.find({
      where: { mbAlbumId: In(validIds) },
@@ -170,24 +173,13 @@ class CoverArtArchive extends ExternalAPI {
      existingMetadata.map((metadata) => [metadata.mbAlbumId, metadata])
    );

-    const results: Record<string, string | null> = {};
-    const idsToFetch: string[] = [];
-
    for (const id of validIds) {
      const metadata = metadataMap.get(id);

      if (metadata?.caaUrl) {
-        Object.defineProperty(results, id, {
-          value: metadata.caaUrl,
-          enumerable: true,
-          writable: true,
-        });
+        resultsMap.set(id, metadata.caaUrl);
      } else if (metadata && !this.isMetadataStale(metadata)) {
-        Object.defineProperty(results, id, {
-          value: null,
-          enumerable: true,
-          writable: true,
-        });
+        resultsMap.set(id, null);
      } else {
        idsToFetch.push(id);
      }
@@ -199,11 +191,7 @@ class CoverArtArchive extends ExternalAPI {
          this.fetchCoverArt(id)
            .then((response) => {
              const frontImage = response.images.find((img) => img.front);
-              Object.defineProperty(results, id, {
-                value: frontImage?.thumbnails?.[250] || null,
-                enumerable: true,
-                writable: true,
-              });
+              resultsMap.set(id, frontImage?.thumbnails?.[250] || null);
              return true;
            })
            .catch((error) => {
@@ -212,16 +200,12 @@ class CoverArtArchive extends ExternalAPI {
                id,
                error: error instanceof Error ? error.message : 'Unknown error',
              });
-              Object.defineProperty(results, id, {
-                value: null,
-                enumerable: true,
-                writable: true,
-              });
+              resultsMap.set(id, null);
              return false;
            })
        );

-        await Promise.all(batchPromises);
+        await Promise.allSettled(batchPromises);
      } catch (error) {
        logger.error('Failed to process cover art requests', {
          label: 'CoverArtArchive',
@@ -230,6 +214,11 @@ class CoverArtArchive extends ExternalAPI {
      }
    }

+    const results: Record<string, string | null> = {};
+    for (const [key, value] of resultsMap.entries()) {
+      results[key] = value;
+    }
+
    return results;
  }
 }