fix(imageproxy): restrict to relative paths to prevent baseURL override

[RinZ27]

Description

• Problem: The /imageproxy route could be tricked into fetching absolute URLs, bypassing the intended baseURL.
• Why it matters: This allowed for potential SSRF where internal network resources or server-side metadata could be accessed through the proxy.
• What changed: Added a check to ensure imagePath is a relative path starting with / and does not contain protocol strings or double slashes.

How Has This Been Tested?

• Verified that standard TMDB/TVDB paths (e.g., /t/p/xxx.jpg) still work.
• Verified that absolute URLs and double-slash bypasses are blocked.

Checklist:

• I have read and followed the contribution guidelines.
• Disclosed any use of AI.
• All new and existing tests passed. 🦞

Summary by CodeRabbit

• Bug Fixes
  • Enhanced input validation for the image proxy route to reject invalid image paths and return appropriate error responses. This prevents potential issues from malformed requests, improving system reliability and stability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

📝 Walkthrough

Walkthrough

Input validation was added to the TMDB/TVDB image proxy route to ensure the image path adheres to security requirements, rejecting paths with invalid formats such as double slashes, missing leading slash, or URL schemes.

Changes

Cohort / File(s)	Summary
Image Proxy Validation server/routes/imageproxy.ts	Added input validation for image path parameter: enforce single leading slash, reject double slashes, and prevent URL scheme patterns. Invalid paths return 400 error response with logging.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A path must start with care and thought,
No double slashes, as they ought!
No schemes that hide where URLs creep,
Just single slash, our guard to keep.
Security sharp, the proxy's sweet.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main security fix: restricting the image proxy route to relative paths to prevent baseURL override attacks, which aligns directly with the changeset's primary purpose.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into develop

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

server/routes/imageproxy.ts (1)

41-41: Consider sanitizing logged input.

The imagePath is user-controlled and logged directly. While this is useful for debugging, consider truncating or sanitizing it to prevent potential log injection or excessively large log entries from malicious inputs.

🔧 Optional: Truncate logged path

-    logger.error('Invalid image path detected', { imagePath });
+    logger.error('Invalid image path detected', { imagePath: imagePath.slice(0, 200) });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/routes/imageproxy.ts` at line 41, The logger.error call logs the
user-controlled variable imagePath directly; sanitize and/or truncate it before
logging to prevent log injection or oversized entries by e.g. stripping
control/newline characters and limiting length (e.g. to 200 chars) and then pass
the sanitized value to logger.error; update the usage in
server/routes/imageproxy.ts where logger.error('Invalid image path detected', {
imagePath }) is called to use the sanitized/truncated imagePath variable
instead.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@server/routes/imageproxy.ts`:
- Line 41: The logger.error call logs the user-controlled variable imagePath
directly; sanitize and/or truncate it before logging to prevent log injection or
oversized entries by e.g. stripping control/newline characters and limiting
length (e.g. to 200 chars) and then pass the sanitized value to logger.error;
update the usage in server/routes/imageproxy.ts where logger.error('Invalid
image path detected', { imagePath }) is called to use the sanitized/truncated
imagePath variable instead.

[gauthier-th]

I don't think I can reproduce this issue. When I try to inject an absolute URL to the image proxy, the URL is always prefixed with /. Could you please provide an example?