Gandalf/sofarr
Private
Public Access
0
0
Fork 0
Code Issues Packages Releases 30 Wiki Activity

fix(security #10): sanitize error details to prevent API key leakage

Browse Source 
Added server/utils/sanitizeError.js which redacts:
- ?apikey= query parameters (SABnzbd passes key in URL)
- ?token= query parameters
- X-Api-Key / X-MediaBrowser-Token / X-Emby-Authorization header
  values if they appear in the error message string

Applied to all catch blocks in emby.js, sabnzbd.js, sonarr.js,
radarr.js, and dashboard.js. Internal error.message still logged
server-side (unredacted) for debugging.
This commit is contained in:
Gronod
2026-05-16 16:22:11 +01:00
parent d8584d0511
commit 8fa20c6990
6 changed files with 36 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/routes/emby.js
+5 -4
View File
@@ -2,6 +2,7 @@ const express = require('express');
const axios = require('axios');
const router = express.Router();
const requireAuth = require('../middleware/requireAuth');
const sanitizeError = require('../utils/sanitizeError');
const EMBY_URL = process.env.EMBY_URL;
const EMBY_API_KEY = process.env.EMBY_API_KEY;
@@ -16,7 +17,7 @@ router.get('/sessions', async (req, res) => {
});
res.json(response.data);
} catch (error) {
res.status(500).json({ error: 'Failed to fetch Emby sessions', details: error.message });
res.status(500).json({ error: 'Failed to fetch Emby sessions', details: sanitizeError(error) });
}
});
@@ -28,7 +29,7 @@ router.get('/users/:id', async (req, res) => {
});
res.json(response.data);
} catch (error) {
res.status(500).json({ error: 'Failed to fetch user details', details: error.message });
res.status(500).json({ error: 'Failed to fetch user details', details: sanitizeError(error) });
}
});
@@ -40,7 +41,7 @@ router.get('/users', async (req, res) => {
});
res.json(response.data);
} catch (error) {
res.status(500).json({ error: 'Failed to fetch users', details: error.message });
res.status(500).json({ error: 'Failed to fetch users', details: sanitizeError(error) });
}
});
@@ -62,7 +63,7 @@ router.get('/session/:sessionId/user', async (req, res) => {
res.json(userResponse.data);
} catch (error) {
res.status(500).json({ error: 'Failed to fetch user from session', details: error.message });
res.status(500).json({ error: 'Failed to fetch user from session', details: sanitizeError(error) });
}
});