Add validation for URL domain in /artwork/generate endpoint

ciderapp · Aug 9, 2024 · 8d83815 · 8d83815
1 parent 596e83f
commit 8d83815
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/server.mjs b/server.mjs
@@ -123,6 +123,12 @@ app.get('/artwork/generate', async (req, res) => {
     if (!url) {
         return res.status(400).send('URL query parameter is required');
     }
+
+    const parsedUrl = new URL(url);
+    if (parsedUrl.hostname !== 'mvod.itunes.apple.com') {
+        logger.warn(`Invalid domain: ${parsedUrl.hostname}`);
+        return res.status(400).send('Only URLs from mvod.itunes.apple.com are allowed');
+    }
 
     try {
         const response = await fetch(url);