bugfix: security & correctness bundle (0.34.1)

Five fixes bundled into one release: - preserve user-attached tags across crawler upserts (repo::crawler::sync_tags now scopes to added_by IS NULL; orphaned attachments from deleted users are reaped as crawler-owned) - gate manga PATCH and cover endpoints on uploaded_by (require_can_edit in api::mangas; non-NULL uploaded_by must match the caller) - equalise login response time across user-existence branches (run argon2 against a OnceLock-cached dummy hash on the no-user branch so timing doesn't leak username existence) - crawler download defences (SSRF allowlist of host literals including IPv4-mapped IPv6 ranges, 32 MiB streamed size cap, reject non-whitelisted image types, three-way chapter-probe classifier replaces the binary #avatar_menu check) - tighten validation and clean up dead unload path (attach_tag + create_token enforce 64-char caps; LocalStorage rejects NUL bytes explicitly; reader flushFinalProgress drops the always-405 sendBeacon path) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-28 20:24:51 +02:00
parent c5c1179e9d
commit 8d34132883
25 changed files with 1399 additions and 88 deletions
--- a/backend/src/app.rs
+++ b/backend/src/app.rs
@@ -19,6 +19,7 @@ use crate::crawler::daemon::{self, ChapterDispatcher, DaemonConfig, MetadataPass
 use crate::crawler::jobs::JobPayload;
 use crate::crawler::pipeline::{self, MetadataStats};
 use crate::crawler::rate_limit::HostRateLimiters;
+use crate::crawler::safety::DownloadAllowlist;
 use crate::crawler::session;
 use crate::crawler::source::{target as target_source, DiscoverMode};
 use crate::repo;
@@ -153,6 +154,8 @@ async fn spawn_crawler_daemon(
            start_url: url.clone(),
            mode_pref: cfg.mode,
            incremental_stop_after: cfg.incremental_stop_after,
+            download_allowlist: cfg.download_allowlist.clone(),
+            max_image_bytes: cfg.max_image_bytes,
        });
        m
    });
@@ -163,6 +166,8 @@ async fn spawn_crawler_daemon(
        storage: Arc::clone(&storage),
        http,
        rate: Arc::clone(&rate),
+        download_allowlist: cfg.download_allowlist.clone(),
+        max_image_bytes: cfg.max_image_bytes,
    });

    // Shared cancellation: daemon shutdown cancels the BrowserManager's
@@ -216,6 +221,8 @@ struct RealMetadataPass {
    start_url: String,
    mode_pref: CrawlerModePref,
    incremental_stop_after: usize,
+    download_allowlist: DownloadAllowlist,
+    max_image_bytes: usize,
 }

 #[async_trait]
@@ -238,6 +245,8 @@ impl MetadataPass for RealMetadataPass {
            0,
            false,
            mode,
+            &self.download_allowlist,
+            self.max_image_bytes,
        )
        .await
    }
@@ -293,6 +302,8 @@ struct RealChapterDispatcher {
    storage: Arc<dyn Storage>,
    http: reqwest::Client,
    rate: Arc<HostRateLimiters>,
+    download_allowlist: DownloadAllowlist,
+    max_image_bytes: usize,
 }

 #[async_trait]
@@ -322,6 +333,8 @@ impl ChapterDispatcher for RealChapterDispatcher {
                    manga_id,
                    &source_url,
                    false,
+                    &self.download_allowlist,
+                    self.max_image_bytes,
                )
                .await?;
                drop(lease);