mirrors/jellyseerr
1
0
Fork 0
mirror of https://github.com/fallenbagel/jellyseerr.git synced 2026-01-01 04:08:45 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: resolve a vulnerability with admin token (#1345)

Browse Source 
By default, the jellyfinAuthToken of every user was always retrieved from the database, and
sometimes sent back to the client. Any logged-in user could retrieve this token via a request
containing admin user information, and use it to gain full access to Jellyfin. This PR removes the
auth token and the device ID from the fields selected by default by TypeORM.
This commit is contained in:
Gauthier
2025-02-10 00:17:11 +01:00
committed by GitHub
parent 2dbd1096d2
commit 620135aeac
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
server/entity/User.ts
View File

@@ -83,13 +83,13 @@ export class User {
@Column({ nullable: true })
public jellyfinUserId?: string;
@Column({ nullable: true })
@Column({ nullable: true, select: false })
public jellyfinDeviceId?: string;
@Column({ nullable: true })
@Column({ nullable: true, select: false })
public jellyfinAuthToken?: string;
@Column({ nullable: true })
@Column({ nullable: true, select: false })
public plexToken?: string;
@Column({ type: 'integer', default: 0 })