Skip to content

fix: security hardening - address 6 critical vulnerabilities #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bitr8 wants to merge 1 commit into from
Closed

fix: security hardening - address 6 critical vulnerabilities #1

bitr8 wants to merge 1 commit into from

Conversation

@bitr8
Copy link
Owner

@bitr8 bitr8 commented Jan 2, 2026

Summary

This PR addresses 6 security vulnerabilities identified during comprehensive code review (with Claude, Gemini, and Codex).

Critical Fixes

# Issue File Fix
1 API key leak in error logs overseerr.ts Redact sensitive headers before logging
2 Unhandled promise rejection externalapi.ts Add catch handler to background refresh
3 Path traversal vulnerability placeholderManager.ts Validate path within library root
4 Division by zero crash MultiSourceOrchestrator.ts Validate non-empty sources array
5 Unbounded remote fetch animeIds.ts Add 30s timeout + 50MB size limit
6 Unvalidated poster downloads LocalPosterFolderService.ts Validate status, content-type, size

Details

1. API Key Leak Prevention

  • Redact X-Api-Key and Authorization headers before logging
  • Remove requestData from error logs to prevent PII exposure

2. Unhandled Promise Rejection Fix

  • Rolling cache background refresh now has proper error handling
  • Prevents Node.js crashes in strict mode

3. Path Traversal Protection

  • Resolves both paths to absolute before comparison
  • Ensures file deletion only within configured library roots
  • Logs security events for monitoring

4. Division by Zero Prevention

  • Validates config.sources array is not empty before cycle_lists mode
  • Returns gracefully with {created: 0, updated: 0} instead of crashing

5. Bounded Remote Fetch

  • 30-second timeout via AbortController
  • 50MB maximum response size check (content-length + body size)
  • Properly cleans up timeout in finally block

6. Poster Download Validation

  • Only accepts HTTP 200 status
  • Validates content-type starts with image/
  • Enforces 50MB maximum file size

Test Plan

  • Verify overlays still apply correctly
  • Verify collections sync with multi-source configs
  • Verify placeholder creation/deletion works
  • Verify anime ID loading still works
  • Check logs don't contain API keys on Overseerr errors
  • Verify poster downloads complete successfully

🤖 Generated with Claude Code

@bitr8 bitr8 force-pushed the pr/security-fixes branch from 3214632 to 9a87936 Compare January 2, 2026 06:23
@bitr8
fix: security hardening - address 6 critical vulnerabilities
89b5534 
## Changes

1. **Prevent API key leaks in error logs** (overseerr.ts)
   - Redact X-Api-Key and Authorization headers before logging
   - Truncate and sanitize responseData to prevent echoed credential leaks
   - Remove requestData from error logs to prevent PII exposure

2. **Handle unhandled promise rejections** (externalapi.ts)
   - Add catch handler to rolling cache background refresh
   - Prevents Node.js crashes in strict mode

3. **Prevent path traversal in placeholder deletion** (placeholderManager.ts)
   - Use fs.realpath to resolve symlinks before path validation
   - Blocks symlink escape attacks (e.g., /library/link -> /etc)
   - Validate resolved path is within configured library root

4. **Prevent division by zero crash** (MultiSourceOrchestrator.ts)
   - Validate sources array is not empty before cycle_lists mode
   - Gracefully return instead of crashing on empty sources

5. **Add timeout and size limits to anime IDs fetch** (animeIds.ts)
   - 30 second timeout via AbortController
   - Streaming download with real-time byte counting
   - Aborts immediately when 50MB limit exceeded (no buffering)

6. **Validate poster downloads** (LocalPosterFolderService.ts)
   - Validate HTTP 200 status code
   - Validate content-type is image/*
   - Enforce 50MB maximum file size
@bitr8 bitr8 force-pushed the pr/security-fixes branch from 9a87936 to 89b5534 Compare January 2, 2026 06:25
@bitr8 bitr8 closed this Jan 2, 2026
@bitr8 bitr8 deleted the pr/security-fixes branch January 2, 2026 06:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bitr8