6bd23e7e8b
- Disable open /api/auth/register endpoint (gateway) - Require gateway session auth on Immich and Karakeep hooks proxies - Replace SHA-256 with bcrypt in fitness service (auth + seed) - Remove hardcoded Telegram user IDs from fitness seed - Add Secure flag to session cookie - Add domain allowlist and content-type validation to image proxy - Strengthen .gitignore (env variants, runtime data, test artifacts)
78 lines
2.5 KiB
Python
78 lines
2.5 KiB
Python
"""
|
|
Platform Gateway — Image proxy with domain allowlist.
|
|
"""
|
|
|
|
import urllib.request
|
|
import urllib.parse
|
|
|
|
from config import _ssl_ctx
|
|
|
|
ALLOWED_IMAGE_DOMAINS = {
|
|
"i.redd.it",
|
|
"preview.redd.it",
|
|
"external-preview.redd.it",
|
|
"i.imgur.com",
|
|
"imgur.com",
|
|
"images-na.ssl-images-amazon.com",
|
|
"m.media-amazon.com",
|
|
"cdn.discordapp.com",
|
|
"media.discordapp.net",
|
|
"pbs.twimg.com",
|
|
"abs.twimg.com",
|
|
"upload.wikimedia.org",
|
|
"images.unsplash.com",
|
|
}
|
|
|
|
|
|
def handle_image_proxy(handler):
|
|
"""Proxy external images to bypass hotlink protection."""
|
|
qs = urllib.parse.urlparse(handler.path).query
|
|
params = urllib.parse.parse_qs(qs)
|
|
url = params.get("url", [None])[0]
|
|
if not url:
|
|
handler._send_json({"error": "Missing url parameter"}, 400)
|
|
return
|
|
|
|
# Validate URL scheme and domain allowlist
|
|
try:
|
|
parsed = urllib.parse.urlparse(url)
|
|
if parsed.scheme not in ("http", "https"):
|
|
handler._send_json({"error": "Invalid URL scheme"}, 400)
|
|
return
|
|
hostname = parsed.hostname or ""
|
|
if hostname not in ALLOWED_IMAGE_DOMAINS:
|
|
allowed = any(
|
|
hostname == d or hostname.endswith(f".{d}")
|
|
for d in ALLOWED_IMAGE_DOMAINS
|
|
)
|
|
if not allowed:
|
|
print(f"[ImageProxy] Blocked request for domain: {hostname}")
|
|
handler._send_json({"error": "Domain not allowed"}, 403)
|
|
return
|
|
except Exception:
|
|
handler._send_json({"error": "Invalid URL"}, 400)
|
|
return
|
|
|
|
try:
|
|
req = urllib.request.Request(url, headers={
|
|
"User-Agent": "Mozilla/5.0 (compatible; PlatformProxy/1.0)",
|
|
"Accept": "image/*,*/*",
|
|
"Referer": parsed.scheme + "://" + parsed.netloc + "/",
|
|
})
|
|
resp = urllib.request.urlopen(req, timeout=10, context=_ssl_ctx)
|
|
body = resp.read()
|
|
ct = resp.headers.get("Content-Type", "image/jpeg")
|
|
# Only serve actual image content types
|
|
if not ct.startswith("image/"):
|
|
handler._send_json({"error": "Response is not an image"}, 400)
|
|
return
|
|
handler.send_response(200)
|
|
handler.send_header("Content-Type", ct)
|
|
handler.send_header("Content-Length", len(body))
|
|
handler.send_header("Cache-Control", "public, max-age=86400")
|
|
handler.end_headers()
|
|
handler.wfile.write(body)
|
|
except Exception as e:
|
|
print(f"[ImageProxy] Error fetching {url}: {e}")
|
|
handler._send_json({"error": "Failed to fetch image"}, 502)
|