bugfix: security & correctness bundle (0.34.1)

Five fixes bundled into one release: - preserve user-attached tags across crawler upserts (repo::crawler::sync_tags now scopes to added_by IS NULL; orphaned attachments from deleted users are reaped as crawler-owned) - gate manga PATCH and cover endpoints on uploaded_by (require_can_edit in api::mangas; non-NULL uploaded_by must match the caller) - equalise login response time across user-existence branches (run argon2 against a OnceLock-cached dummy hash on the no-user branch so timing doesn't leak username existence) - crawler download defences (SSRF allowlist of host literals including IPv4-mapped IPv6 ranges, 32 MiB streamed size cap, reject non-whitelisted image types, three-way chapter-probe classifier replaces the binary #avatar_menu check) - tighten validation and clean up dead unload path (attach_tag + create_token enforce 64-char caps; LocalStorage rejects NUL bytes explicitly; reader flushFinalProgress drops the always-405 sendBeacon path) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-28 20:24:51 +02:00
parent c5c1179e9d
commit 8d34132883
25 changed files with 1399 additions and 88 deletions
--- a/backend/src/crawler/pipeline.rs
+++ b/backend/src/crawler/pipeline.rs
@@ -9,6 +9,7 @@ use uuid::Uuid;
 use crate::crawler::browser_manager::BrowserManager;
 use crate::crawler::jobs::{self, EnqueueResult, JobPayload};
 use crate::crawler::rate_limit::HostRateLimiters;
+use crate::crawler::safety::{fetch_bytes_capped, looks_like_image, DownloadAllowlist};
 use crate::crawler::source::target::TargetSource;
 use crate::crawler::source::{DiscoverMode, FetchContext, Source};
 use crate::repo;
@@ -62,6 +63,8 @@ pub async fn run_metadata_pass(
    limit: usize,
    skip_chapters: bool,
    mode: DiscoverMode,
+    allowlist: &DownloadAllowlist,
+    max_image_bytes: usize,
 ) -> anyhow::Result<MetadataStats> {
    let lease = browser_manager
        .acquire()
@@ -181,6 +184,8 @@ pub async fn run_metadata_pass(
                        &r.url,
                        upsert.manga_id,
                        cover_url,
+                        allowlist,
+                        max_image_bytes,
                    )
                    .await
                    {
@@ -382,6 +387,7 @@ pub struct EnqueueSummary {
 /// pipeline because the CLI still calls it from its inline chapter-content
 /// loop; once the worker pool fully replaces that path we can fold this
 /// into `pipeline` proper.
+#[allow(clippy::too_many_arguments)]
 async fn download_and_store_cover(
    db: &PgPool,
    storage: &dyn Storage,
@@ -390,6 +396,8 @@ async fn download_and_store_cover(
    manga_url: &str,
    manga_id: Uuid,
    cover_url: &str,
+    allowlist: &DownloadAllowlist,
+    max_image_bytes: usize,
 ) -> anyhow::Result<()> {
    let absolute = reqwest::Url::parse(manga_url)
        .context("parse manga URL")?
@@ -397,17 +405,22 @@ async fn download_and_store_cover(
        .context("join cover URL onto manga URL")?;

    rate.wait_for(absolute.as_str()).await?;
-    let resp = http
-        .get(absolute.clone())
-        .header(reqwest::header::REFERER, manga_url)
-        .send()
-        .await
-        .with_context(|| format!("GET {absolute}"))?
-        .error_for_status()
-        .with_context(|| format!("non-2xx for {absolute}"))?;
-    let bytes = resp.bytes().await.context("read cover body")?;
-    let kind = infer::get(&bytes);
-    let ext = kind.map(|k| k.extension()).unwrap_or("bin");
+    let bytes = fetch_bytes_capped(
+        http,
+        absolute.as_str(),
+        Some(manga_url),
+        allowlist,
+        max_image_bytes,
+    )
+    .await?;
+    if !looks_like_image(&bytes) {
+        anyhow::bail!(
+            "cover URL {absolute} returned non-image bytes; refusing to store as binary blob"
+        );
+    }
+    let ext = infer::get(&bytes)
+        .map(|k| k.extension())
+        .expect("looks_like_image asserted infer succeeded");
    let key = format!("mangas/{manga_id}/cover.{ext}");

    storage