fix(proxy): add path validation guardrail to imageproxy by RinZ27 · Pull Request #2531 · seerr-team/seerr

RinZ27 · 2026-02-20T14:46:20Z

Description

This PR adds a path validation guardrail to the imageproxy route. It prevents the processing of protocol-relative URLs (starting with //) or absolute URLs (containing ://).

While the underlying ImageProxy logic uses a baseURL, this additional check ensures that malformed or malicious paths that might attempt to bypass the intended destination are blocked early at the routing level.

How Has This Been Tested?

Verified that standard image proxying for TMDB and TVDB remains functional. Confirmed that requests with absolute or protocol-relative paths in the imagePath parameter are now correctly caught and return a 403 Forbidden response, with a corresponding error logged.

Checklist:

I have read and followed the contribution guidelines.
Disclosed any use of AI: This PR was prepared with the assistance of an AI agent.
I have updated the documentation accordingly.
All new and existing tests passed.
Successful build pnpm build
Translation keys pnpm i18n:extract
Database migration (if required)

Summary by CodeRabbit

Bug Fixes
- Strengthened image proxy security by adding validation to detect and block potentially malicious image requests that try to reference external or malformed resources. Such requests are now rejected with an appropriate forbidden response, preventing unintended access and improving overall safety.

coderabbitai · 2026-02-20T14:46:35Z

No actionable comments were generated in the recent review. 🎉

📝 Walkthrough

Walkthrough

Adds a pre-check to the image proxy route that rejects requests where the constructed imagePath begins with // or contains ://, logging the event and returning HTTP 403 Forbidden to block potential SSRF.

Changes

Cohort / File(s)	Summary
SSRF Protection Guard `server/routes/imageproxy.ts`	Added validation that detects `imagePath` values starting with `//` or containing `://`; such requests are logged as SSRF attempts and responded to with 403 Forbidden. No other control-flow changes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 I sniff the paths both near and far,
If // or :// I find a scar,
I sound the bell, the gate stays shut,
Forbidden now — no sneaky cut,
Safe hops onward, guard on guard. ✨

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: add path validation guardrail to imageproxy' clearly and specifically describes the main change: adding a path validation guardrail to the imageproxy route, which matches the PR objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Copilot

Pull request overview

This PR adds SSRF (Server-Side Request Forgery) protection to the imageproxy route by validating that incoming image paths do not contain protocol-relative URLs (//) or absolute URLs (://) that could bypass the intended base URLs for TMDB and TVDB image proxying.

Changes:

Added path validation check to detect and block potentially malicious URL patterns
Returns 403 Forbidden with error logging when SSRF attempt is detected

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

RinZ27 · 2026-02-23T10:31:16Z

I actually kept it as "Potential SSRF" during the initial pass to explicitly flag the security intent for the review process, otherwise I would've stuck with the functional naming from the start. Glad we're on the same page that "Invalid URL" is better for the production logs. Updated!

)

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [seerr/seerr](https://github.com/seerr-team/seerr) | minor | `v3.1.1` → `v3.2.0` | --- ### Release Notes <details> <summary>seerr-team/seerr (seerr/seerr)</summary> ### [`v3.2.0`](https://github.com/seerr-team/seerr/releases/tag/v3.2.0) [Compare Source](seerr-team/seerr@v3.1.1...v3.2.0) ##### [3.2.0](https://github.com/seerr-team/seerr/compare/v3.1.1..v3.2.0) - 2026-04-15 ##### 🚀 Features - *(blocklist)* Add support for collections ([#1841](seerr-team/seerr#1841)) - ([993ae4c](seerr-team/seerr@993ae4c)) - *(discover)* Handle errors gracefully when content is available ([#1542](seerr-team/seerr#1542)) - ([7920970](seerr-team/seerr@7920970)) - *(i18n)* Add Estonian language support ([#2611](seerr-team/seerr#2611)) - ([56b79ff](seerr-team/seerr@56b79ff)) - *(i18n)* Add Luxembourgish language support ([#2671](seerr-team/seerr#2671)) - ([dccdc95](seerr-team/seerr@dccdc95)) - *(i18n)* Add Vietnamese language support ([#2670](seerr-team/seerr#2670)) - ([40edaea](seerr-team/seerr@40edaea)) - *(jellyfin)* Allow Jellyfin Guids with dashes for import-from-jellyfin endpoint ([#2340](seerr-team/seerr#2340)) - ([3557745](seerr-team/seerr@3557745)) - *(notifications)* Add ntfy markdown formatting ([#2602](seerr-team/seerr#2602)) - ([77f2c13](seerr-team/seerr@77f2c13)) - *(notifications)* Webhook custom headers ([#2230](seerr-team/seerr#2230)) - ([3152f72](seerr-team/seerr@3152f72)) - *(notifications)* Add priority setting for ntfy agent ([#2306](seerr-team/seerr#2306)) - ([61e0377](seerr-team/seerr@61e0377)) - *(person)* Add tmdb- and imdb link on person detail page ([#2136](seerr-team/seerr#2136)) - ([fb2ee7c](seerr-team/seerr@fb2ee7c)) - *(quota)* Added support for unlimited quota days ([#2797](seerr-team/seerr#2797)) - ([6d8b2b7](seerr-team/seerr@6d8b2b7)) - *(requests)* Mark requests as failed when Radarr/Sonarr unreachable ([#2171](seerr-team/seerr#2171)) - ([c23117e](seerr-team/seerr@c23117e)) - *(settings)* Add blocklist region and language options ([#1802](seerr-team/seerr#1802)) - ([ff469cb](seerr-team/seerr@ff469cb)) - *(settings)* Add help tooltips for services setup ([#2662](seerr-team/seerr#2662)) - ([f5115da](seerr-team/seerr@f5115da)) - *(sonarr)* Add monitorNewItems option to sonarr settings & modal ([#2071](seerr-team/seerr#2071)) - ([5c34c91](seerr-team/seerr@5c34c91)) - *(trending)* Add filter options ([#2137](seerr-team/seerr#2137)) - ([4ce0db1](seerr-team/seerr@4ce0db1)) - *(ui)* Add loading state to request approve/decline buttons ([#2815](seerr-team/seerr#2815)) - ([bd8f2d4](seerr-team/seerr@bd8f2d4)) - *(userlist)* Add sortable columns to User List ([#1615](seerr-team/seerr#1615)) - ([eaf397a](seerr-team/seerr@eaf397a)) - *(webhook)* Add imdbid to webhook notification ([#2658](seerr-team/seerr#2658)) - ([2432e8d](seerr-team/seerr@2432e8d)) - Sort quality profiles ASC in request and service configuration ([#1805](seerr-team/seerr#1805)) - ([25e376c](seerr-team/seerr@25e376c)) - Add trailing whitespace warning on login username field ([#2040](seerr-team/seerr#2040)) ([#2177](seerr-team/seerr#2177)) - ([636dcb9](seerr-team/seerr@636dcb9)) ##### 🐛 Bug Fixes - *(auth)* Resolve Plex OAuth client ID mismatch ([#2746](seerr-team/seerr#2746)) - ([15b3109](seerr-team/seerr@15b3109)) - *(email)* Correctly classify final MIME header in PGP email encryption ([#2618](seerr-team/seerr#2618)) - ([9ec3d58](seerr-team/seerr@9ec3d58)) - *(email)* Preserve newlines in PGP key textarea fields ([#2617](seerr-team/seerr#2617)) - ([835e917](seerr-team/seerr@835e917)) - *(emby)* Use static version in auth header for emby only ([#2821](seerr-team/seerr#2821)) - ([fe2c041](seerr-team/seerr@fe2c041)) - *(entities)* Replace MySQL-only onUpdate with [@UpdateDateColumn](https://github.com/UpdateDateColumn) ([#2823](seerr-team/seerr#2823)) - ([0b8f872](seerr-team/seerr@0b8f872)) - *(generate-password)* Await setPassword to fix race condition ([#2845](seerr-team/seerr#2845)) - ([061121c](seerr-team/seerr@061121c)) - *(issues)* Update issue timestamp when adding comments ([#2616](seerr-team/seerr#2616)) - ([a16d046](seerr-team/seerr@a16d046)) - *(jellyfin-scanner)* Add TheMovieDb provider fallback for Jellyfin scanner ([#2605](seerr-team/seerr#2605)) - ([10f23f0](seerr-team/seerr@10f23f0)) - *(login)* Resolve stuck transition when switching login forms ([#2779](seerr-team/seerr#2779)) - ([735ec47](seerr-team/seerr@735ec47)) - *(media)* Exclude null mediaAddedAt entries ([#2607](seerr-team/seerr#2607)) - ([001f6b1](seerr-team/seerr@001f6b1)) - *(migration)* Repair postgres blocklist id sequence ([#2686](seerr-team/seerr#2686)) - ([f40323c](seerr-team/seerr@f40323c)) - *(movie,tv)* Respect display language for trailers ([#2674](seerr-team/seerr#2674)) - ([90d407d](seerr-team/seerr@90d407d)) - *(open-api)* Add missing mediaType query parameter to blocklist and watchlist ([#2722](seerr-team/seerr#2722)) - ([c7185d4](seerr-team/seerr@c7185d4)) - *(override-rules)* Remove users from `useEffect` dependency array ([#2771](seerr-team/seerr#2771)) - ([be57997](seerr-team/seerr@be57997)) - *(overseerr-merge)* Sanitise corrupt quota values during overseerr migration ([#2863](seerr-team/seerr#2863)) - ([43eff25](seerr-team/seerr@43eff25)) - *(plex)* Set 4K Plex URLs whenever ratingKey4k is set ([#2635](seerr-team/seerr#2635)) - ([1548948](seerr-team/seerr@1548948)) - *(proxy)* Add path validation guardrail to imageproxy ([#2531](seerr-team/seerr#2531)) - ([e086081](seerr-team/seerr@e086081)) - *(region-selector)* Prevent empty region reporting during sync ([#2636](seerr-team/seerr#2636)) - ([fbfcb43](seerr-team/seerr@fbfcb43)) - *(request)* Record modifiedBy on retry and add route tests ([#2824](seerr-team/seerr#2824)) - ([20ccd4b](seerr-team/seerr@20ccd4b)) - *(request)* Correct delete permission check and await movie save ([#2742](seerr-team/seerr#2742)) - ([6aeab38](seerr-team/seerr@6aeab38)) - *(requests)* Mark requests as completed when media is already available ([#2462](seerr-team/seerr#2462)) - ([d25d0ca](seerr-team/seerr@d25d0ca)) - *(settings)* Persist new settings defaults to disk on startup ([#2884](seerr-team/seerr#2884)) - ([66130be](seerr-team/seerr@66130be)) - *(settings)* Serialize settings writes and prevent partial overwrites ([#2696](seerr-team/seerr#2696)) - ([6c52a2f](seerr-team/seerr@6c52a2f)) - *(settings)* Remove beta info banner ([#2615](seerr-team/seerr#2615)) - ([fece753](seerr-team/seerr@fece753)) - *(setup)* Fix Plex login not proceeding after authentication ([#2596](seerr-team/seerr#2596)) - ([1dc5154](seerr-team/seerr@1dc5154)) - *(watchlist-sync)* Handle empty watchlists on PostgreSQL ([#2718](seerr-team/seerr#2718)) - ([865396f](seerr-team/seerr@865396f)) - Improve local login UX ([#2849](seerr-team/seerr#2849)) - ([aef2481](seerr-team/seerr@aef2481)) - Await missing repository saves ([#2760](seerr-team/seerr#2760)) - ([1bb638e](seerr-team/seerr@1bb638e)) - Helm chart liveness and readiness probe ([#2755](seerr-team/seerr#2755)) - ([4434c45](seerr-team/seerr@4434c45)) - Disambiguate tmdb ids by media type across lookups ([#2577](seerr-team/seerr#2577)) - ([0be1896](seerr-team/seerr@0be1896)) - Anchor streaming service filter check icon to each provider card ([#2634](seerr-team/seerr#2634)) - ([94ccd47](seerr-team/seerr@94ccd47)) ##### 📖 Documentation - *(contributing-guide)* Fix a typo ([#2807](seerr-team/seerr#2807)) - ([6f9b743](seerr-team/seerr@6f9b743)) - *(docker)* Replace backslashes by backticks in windows docker run commands \[skip-ci] ([#2557](seerr-team/seerr#2557)) - ([40e02bb](seerr-team/seerr@40e02bb)) - Clarify Docker volume creation instructions on fresh Windows install ([#2861](seerr-team/seerr#2861)) - ([a133930](seerr-team/seerr@a133930)) - Move network-related docs to a dedicated tab ([#2791](seerr-team/seerr#2791)) - ([5bbdc52](seerr-team/seerr@5bbdc52)) - Promote Nixpkgs as an official installation method ([#2775](seerr-team/seerr#2775)) - ([05ad60c](seerr-team/seerr@05ad60c)) - Fix PM2 start command syntax ([#2713](seerr-team/seerr#2713)) - ([5373da4](seerr-team/seerr@5373da4)) ##### 🚜 Refactor - *(imageproxy)* Reduce noisy image cache logging ([#2789](seerr-team/seerr#2789)) - ([036d000](seerr-team/seerr@036d000)) - *(notifications)* Move event from author to title field in Discord Embed ([#2119](seerr-team/seerr#2119)) - ([a2d1e1b](seerr-team/seerr@a2d1e1b)) - *(userlist)* Responsive columns and buttons ([#2083](seerr-team/seerr#2083)) - ([dbe1fca](seerr-team/seerr@dbe1fca)) - *(watchlistsync)* Log media request creation after success instead of before ([#2790](seerr-team/seerr#2790)) - ([685cb44](seerr-team/seerr@685cb44)) - Rename Error components to ErrorPage ([#2668](seerr-team/seerr#2668)) - ([d5c5f1f](seerr-team/seerr@d5c5f1f)) ##### 🧪 Testing - *(user-list)* Deflake sorting assertions ([#2766](seerr-team/seerr#2766)) - ([20c2ed8](seerr-team/seerr@20c2ed8)) - Support server-side unit testing ([#2485](seerr-team/seerr#2485)) - ([8563362](seerr-team/seerr@8563362)) ##### ⚙️ Miscellaneous Tasks - *(actions)* Update github actions ([#2683](seerr-team/seerr#2683)) - ([a2154f9](seerr-team/seerr@a2154f9)) - *(actions)* Update github actions ([#2672](seerr-team/seerr#2672)) - ([f047cab](seerr-team/seerr@f047cab)) - *(actions)* Update github actions ([#2632](seerr-team/seerr#2632)) - ([e25c1a5](seerr-team/seerr@e25c1a5)) - *(create-tag)* Correct quote style in commit message for tag preparation ([#2593](seerr-team/seerr#2593)) - ([687f18b](seerr-team/seerr@687f18b)) - *(docker)* Release alias for major and minor version series ([#2881](seerr-team/seerr#2881)) - ([1cc73a8](seerr-team/seerr@1cc73a8)) - *(i18n)* Update translations from Weblate - ([e85216a](seerr-team/seerr@e85216a)) - *(i18n)* Update translations from Weblate - ([b1adc79](seerr-team/seerr@b1adc79)) - *(i18n)* Update translations from Weblate ([#2419](seerr-team/seerr#2419)) - ([4bd7c19](seerr-team/seerr@4bd7c19)) - *(pr-validation)* Make checklist box detection case-insensitive ([#2802](seerr-team/seerr#2802)) - ([58514ec](seerr-team/seerr@58514ec)) - *(pr-validation)* Update pull request permissions to write for validation jobs ([#2800](seerr-team/seerr#2800)) - ([986761f](seerr-team/seerr@986761f)) - *(pr-validation)* Disable package manager cache in nodejs setup ([#2799](seerr-team/seerr#2799)) - ([67e27d5](seerr-team/seerr@67e27d5)) - *(release)* Prepare v3.2.0 - ([e0b2a1c](seerr-team/seerr@e0b2a1c)) - *(release)* Merge develop into main - ([c5800a0](seerr-team/seerr@c5800a0)) - Bump minimum required node version to 22.19.0 ([#2873](seerr-team/seerr#2873)) - ([891265f](seerr-team/seerr@891265f)) - Add PR validation workflow and update contributing guidelines ([#2777](seerr-team/seerr#2777)) - ([772e83d](seerr-team/seerr@772e83d)) - Upgrade to eslint v9 ([#2574](seerr-team/seerr#2574)) - ([36243a0](seerr-team/seerr@36243a0)) - Ignore helm scope in git-cliff ([#2638](seerr-team/seerr#2638)) - ([4d2b658](seerr-team/seerr@4d2b658)) ##### New Contributors ❤️ - [@aslafy-z](https://github.com/aslafy-z) made their first contribution - [@leereilly](https://github.com/leereilly) made their first contribution - [@jisef](https://github.com/jisef) made their first contribution - [@dougrathbone](https://github.com/dougrathbone) made their first contribution - [@bobziroll](https://github.com/bobziroll) made their first contribution - [@v3DJG6GL](https://github.com/v3DJG6GL) made their first contribution - [@Roboroads](https://github.com/Roboroads) made their first contribution - [@costajohnt](https://github.com/costajohnt) made their first contribution - [@tiagodefendi](https://github.com/tiagodefendi) made their first contribution - [@Jyasapara](https://github.com/Jyasapara) made their first contribution - [@Sym-jay](https://github.com/Sym-jay) made their first contribution - [@bibi0019](https://github.com/bibi0019) made their first contribution - [@redondos](https://github.com/redondos) made their first contribution - [@bogo22](https://github.com/bogo22) made their first contribution - [@jabloink](https://github.com/jabloink) made their first contribution - [@YakGravity](https://github.com/YakGravity) made their first contribution - [@dj0024javia](https://github.com/dj0024javia) made their first contribution - [@Jerra94](https://github.com/Jerra94) made their first contribution - [@its-wizza](https://github.com/its-wizza) made their first contribution - [@ventiph](https://github.com/ventiph) made their first contribution - [@RinZ27](https://github.com/RinZ27) made their first contribution </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://git.erwanleboucher.dev/eleboucher/homelab/pulls/180 Co-authored-by: bot-owl <bot@erwanleboucher.dev> Co-committed-by: bot-owl <bot@erwanleboucher.dev>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [seerr/seerr](https://github.com/seerr-team/seerr) | minor | `v3.1.1` → `v3.2.0` | --- ### Release Notes <details> <summary>seerr-team/seerr (seerr/seerr)</summary> ### [`v3.2.0`](https://github.com/seerr-team/seerr/releases/tag/v3.2.0) [Compare Source](seerr-team/seerr@v3.1.1...v3.2.0) ##### [3.2.0](https://github.com/seerr-team/seerr/compare/v3.1.1..v3.2.0) - 2026-04-15 ##### 🚀 Features - *(blocklist)* Add support for collections ([#1841](seerr-team/seerr#1841)) - ([993ae4c](seerr-team/seerr@993ae4c)) - *(discover)* Handle errors gracefully when content is available ([#1542](seerr-team/seerr#1542)) - ([7920970](seerr-team/seerr@7920970)) - *(i18n)* Add Estonian language support ([#2611](seerr-team/seerr#2611)) - ([56b79ff](seerr-team/seerr@56b79ff)) - *(i18n)* Add Luxembourgish language support ([#2671](seerr-team/seerr#2671)) - ([dccdc95](seerr-team/seerr@dccdc95)) - *(i18n)* Add Vietnamese language support ([#2670](seerr-team/seerr#2670)) - ([40edaea](seerr-team/seerr@40edaea)) - *(jellyfin)* Allow Jellyfin Guids with dashes for import-from-jellyfin endpoint ([#2340](seerr-team/seerr#2340)) - ([3557745](seerr-team/seerr@3557745)) - *(notifications)* Add ntfy markdown formatting ([#2602](seerr-team/seerr#2602)) - ([77f2c13](seerr-team/seerr@77f2c13)) - *(notifications)* Webhook custom headers ([#2230](seerr-team/seerr#2230)) - ([3152f72](seerr-team/seerr@3152f72)) - *(notifications)* Add priority setting for ntfy agent ([#2306](seerr-team/seerr#2306)) - ([61e0377](seerr-team/seerr@61e0377)) - *(person)* Add tmdb- and imdb link on person detail page ([#2136](seerr-team/seerr#2136)) - ([fb2ee7c](seerr-team/seerr@fb2ee7c)) - *(quota)* Added support for unlimited quota days ([#2797](seerr-team/seerr#2797)) - ([6d8b2b7](seerr-team/seerr@6d8b2b7)) - *(requests)* Mark requests as failed when Radarr/Sonarr unreachable ([#2171](seerr-team/seerr#2171)) - ([c23117e](seerr-team/seerr@c23117e)) - *(settings)* Add blocklist region and language options ([#1802](seerr-team/seerr#1802)) - ([ff469cb](seerr-team/seerr@ff469cb)) - *(settings)* Add help tooltips for services setup ([#2662](seerr-team/seerr#2662)) - ([f5115da](seerr-team/seerr@f5115da)) - *(sonarr)* Add monitorNewItems option to sonarr settings & modal ([#2071](seerr-team/seerr#2071)) - ([5c34c91](seerr-team/seerr@5c34c91)) - *(trending)* Add filter options ([#2137](seerr-team/seerr#2137)) - ([4ce0db1](seerr-team/seerr@4ce0db1)) - *(ui)* Add loading state to request approve/decline buttons ([#2815](seerr-team/seerr#2815)) - ([bd8f2d4](seerr-team/seerr@bd8f2d4)) - *(userlist)* Add sortable columns to User List ([#1615](seerr-team/seerr#1615)) - ([eaf397a](seerr-team/seerr@eaf397a)) - *(webhook)* Add imdbid to webhook notification ([#2658](seerr-team/seerr#2658)) - ([2432e8d](seerr-team/seerr@2432e8d)) - Sort quality profiles ASC in request and service configuration ([#1805](seerr-team/seerr#1805)) - ([25e376c](seerr-team/seerr@25e376c)) - Add trailing whitespace warning on login username field ([#2040](seerr-team/seerr#2040)) ([#2177](seerr-team/seerr#2177)) - ([636dcb9](seerr-team/seerr@636dcb9)) ##### 🐛 Bug Fixes - *(auth)* Resolve Plex OAuth client ID mismatch ([#2746](seerr-team/seerr#2746)) - ([15b3109](seerr-team/seerr@15b3109)) - *(email)* Correctly classify final MIME header in PGP email encryption ([#2618](seerr-team/seerr#2618)) - ([9ec3d58](seerr-team/seerr@9ec3d58)) - *(email)* Preserve newlines in PGP key textarea fields ([#2617](seerr-team/seerr#2617)) - ([835e917](seerr-team/seerr@835e917)) - *(emby)* Use static version in auth header for emby only ([#2821](seerr-team/seerr#2821)) - ([fe2c041](seerr-team/seerr@fe2c041)) - *(entities)* Replace MySQL-only onUpdate with [@UpdateDateColumn](https://github.com/UpdateDateColumn) ([#2823](seerr-team/seerr#2823)) - ([0b8f872](seerr-team/seerr@0b8f872)) - *(generate-password)* Await setPassword to fix race condition ([#2845](seerr-team/seerr#2845)) - ([061121c](seerr-team/seerr@061121c)) - *(issues)* Update issue timestamp when adding comments ([#2616](seerr-team/seerr#2616)) - ([a16d046](seerr-team/seerr@a16d046)) - *(jellyfin-scanner)* Add TheMovieDb provider fallback for Jellyfin scanner ([#2605](seerr-team/seerr#2605)) - ([10f23f0](seerr-team/seerr@10f23f0)) - *(login)* Resolve stuck transition when switching login forms ([#2779](seerr-team/seerr#2779)) - ([735ec47](seerr-team/seerr@735ec47)) - *(media)* Exclude null mediaAddedAt entries ([#2607](seerr-team/seerr#2607)) - ([001f6b1](seerr-team/seerr@001f6b1)) - *(migration)* Repair postgres blocklist id sequence ([#2686](seerr-team/seerr#2686)) - ([f40323c](seerr-team/seerr@f40323c)) - *(movie,tv)* Respect display language for trailers ([#2674](seerr-team/seerr#2674)) - ([90d407d](seerr-team/seerr@90d407d)) - *(open-api)* Add missing mediaType query parameter to blocklist and watchlist ([#2722](seerr-team/seerr#2722)) - ([c7185d4](seerr-team/seerr@c7185d4)) - *(override-rules)* Remove users from `useEffect` dependency array ([#2771](seerr-team/seerr#2771)) - ([be57997](seerr-team/seerr@be57997)) - *(overseerr-merge)* Sanitise corrupt quota values during overseerr migration ([#2863](seerr-team/seerr#2863)) - ([43eff25](seerr-team/seerr@43eff25)) - *(plex)* Set 4K Plex URLs whenever ratingKey4k is set ([#2635](seerr-team/seerr#2635)) - ([1548948](seerr-team/seerr@1548948)) - *(proxy)* Add path validation guardrail to imageproxy ([#2531](seerr-team/seerr#2531)) - ([e086081](seerr-team/seerr@e086081)) - *(region-selector)* Prevent empty region reporting during sync ([#2636](seerr-team/seerr#2636)) - ([fbfcb43](seerr-team/seerr@fbfcb43)) - *(request)* Record modifiedBy on retry and add route tests ([#2824](seerr-team/seerr#2824)) - ([20ccd4b](seerr-team/seerr@20ccd4b)) - *(request)* Correct delete permission check and await movie save ([#2742](seerr-team/seerr#2742)) - ([6aeab38](seerr-team/seerr@6aeab38)) - *(requests)* Mark requests as completed when media is already available ([#2462](seerr-team/seerr#2462)) - ([d25d0ca](seerr-team/seerr@d25d0ca)) - *(settings)* Persist new settings defaults to disk on startup ([#2884](seerr-team/seerr#2884)) - ([66130be](seerr-team/seerr@66130be)) - *(settings)* Serialize settings writes and prevent partial overwrites ([#2696](seerr-team/seerr#2696)) - ([6c52a2f](seerr-team/seerr@6c52a2f)) - *(settings)* Remove beta info banner ([#2615](seerr-team/seerr#2615)) - ([fece753](seerr-team/seerr@fece753)) - *(setup)* Fix Plex login not proceeding after authentication ([#2596](seerr-team/seerr#2596)) - ([1dc5154](seerr-team/seerr@1dc5154)) - *(watchlist-sync)* Handle empty watchlists on PostgreSQL ([#2718](seerr-team/seerr#2718)) - ([865396f](seerr-team/seerr@865396f)) - Improve local login UX ([#2849](seerr-team/seerr#2849)) - ([aef2481](seerr-team/seerr@aef2481)) - Await missing repository saves ([#2760](seerr-team/seerr#2760)) - ([1bb638e](seerr-team/seerr@1bb638e)) - Helm chart liveness and readiness probe ([#2755](seerr-team/seerr#2755)) - ([4434c45](seerr-team/seerr@4434c45)) - Disambiguate tmdb ids by media type across lookups ([#2577](seerr-team/seerr#2577)) - ([0be1896](seerr-team/seerr@0be1896)) - Anchor streaming service filter check icon to each provider card ([#2634](seerr-team/seerr#2634)) - ([94ccd47](seerr-team/seerr@94ccd47)) ##### 📖 Documentation - *(contributing-guide)* Fix a typo ([#2807](seerr-team/seerr#2807)) - ([6f9b743](seerr-team/seerr@6f9b743)) - *(docker)* Replace backslashes by backticks in windows docker run commands \[skip-ci] ([#2557](seerr-team/seerr#2557)) - ([40e02bb](seerr-team/seerr@40e02bb)) - Clarify Docker volume creation instructions on fresh Windows install ([#2861](seerr-team/seerr#2861)) - ([a133930](seerr-team/seerr@a133930)) - Move network-related docs to a dedicated tab ([#2791](seerr-team/seerr#2791)) - ([5bbdc52](seerr-team/seerr@5bbdc52)) - Promote Nixpkgs as an official installation method ([#2775](seerr-team/seerr#2775)) - ([05ad60c](seerr-team/seerr@05ad60c)) - Fix PM2 start command syntax ([#2713](seerr-team/seerr#2713)) - ([5373da4](seerr-team/seerr@5373da4)) ##### 🚜 Refactor - *(imageproxy)* Reduce noisy image cache logging ([#2789](seerr-team/seerr#2789)) - ([036d000](seerr-team/seerr@036d000)) - *(notifications)* Move event from author to title field in Discord Embed ([#2119](seerr-team/seerr#2119)) - ([a2d1e1b](seerr-team/seerr@a2d1e1b)) - *(userlist)* Responsive columns and buttons ([#2083](seerr-team/seerr#2083)) - ([dbe1fca](seerr-team/seerr@dbe1fca)) - *(watchlistsync)* Log media request creation after success instead of before ([#2790](seerr-team/seerr#2790)) - ([685cb44](seerr-team/seerr@685cb44)) - Rename Error components to ErrorPage ([#2668](seerr-team/seerr#2668)) - ([d5c5f1f](seerr-team/seerr@d5c5f1f)) ##### 🧪 Testing - *(user-list)* Deflake sorting assertions ([#2766](seerr-team/seerr#2766)) - ([20c2ed8](seerr-team/seerr@20c2ed8)) - Support server-side unit testing ([#2485](seerr-team/seerr#2485)) - ([8563362](seerr-team/seerr@8563362)) ##### ⚙️ Miscellaneous Tasks - *(actions)* Update github actions ([#2683](seerr-team/seerr#2683)) - ([a2154f9](seerr-team/seerr@a2154f9)) - *(actions)* Update github actions ([#2672](seerr-team/seerr#2672)) - ([f047cab](seerr-team/seerr@f047cab)) - *(actions)* Update github actions ([#2632](seerr-team/seerr#2632)) - ([e25c1a5](seerr-team/seerr@e25c1a5)) - *(create-tag)* Correct quote style in commit message for tag preparation ([#2593](seerr-team/seerr#2593)) - ([687f18b](seerr-team/seerr@687f18b)) - *(docker)* Release alias for major and minor version series ([#2881](seerr-team/seerr#2881)) - ([1cc73a8](seerr-team/seerr@1cc73a8)) - *(i18n)* Update translations from Weblate - ([e85216a](seerr-team/seerr@e85216a)) - *(i18n)* Update translations from Weblate - ([b1adc79](seerr-team/seerr@b1adc79)) - *(i18n)* Update translations from Weblate ([#2419](seerr-team/seerr#2419)) - ([4bd7c19](seerr-team/seerr@4bd7c19)) - *(pr-validation)* Make checklist box detection case-insensitive ([#2802](seerr-team/seerr#2802)) - ([58514ec](seerr-team/seerr@58514ec)) - *(pr-validation)* Update pull request permissions to write for validation jobs ([#2800](seerr-team/seerr#2800)) - ([986761f](seerr-team/seerr@986761f)) - *(pr-validation)* Disable package manager cache in nodejs setup ([#2799](seerr-team/seerr#2799)) - ([67e27d5](seerr-team/seerr@67e27d5)) - *(release)* Prepare v3.2.0 - ([e0b2a1c](seerr-team/seerr@e0b2a1c)) - *(release)* Merge develop into main - ([c5800a0](seerr-team/seerr@c5800a0)) - Bump minimum required node version to 22.19.0 ([#2873](seerr-team/seerr#2873)) - ([891265f](seerr-team/seerr@891265f)) - Add PR validation workflow and update contributing guidelines ([#2777](seerr-team/seerr#2777)) - ([772e83d](seerr-team/seerr@772e83d)) - Upgrade to eslint v9 ([#2574](seerr-team/seerr#2574)) - ([36243a0](seerr-team/seerr@36243a0)) - Ignore helm scope in git-cliff ([#2638](seerr-team/seerr#2638)) - ([4d2b658](seerr-team/seerr@4d2b658)) ##### New Contributors ❤️ - [@aslafy-z](https://github.com/aslafy-z) made their first contribution - [@leereilly](https://github.com/leereilly) made their first contribution - [@jisef](https://github.com/jisef) made their first contribution - [@dougrathbone](https://github.com/dougrathbone) made their first contribution - [@bobziroll](https://github.com/bobziroll) made their first contribution - [@v3DJG6GL](https://github.com/v3DJG6GL) made their first contribution - [@Roboroads](https://github.com/Roboroads) made their first contribution - [@costajohnt](https://github.com/costajohnt) made their first contribution - [@tiagodefendi](https://github.com/tiagodefendi) made their first contribution - [@Jyasapara](https://github.com/Jyasapara) made their first contribution - [@Sym-jay](https://github.com/Sym-jay) made their first contribution - [@bibi0019](https://github.com/bibi0019) made their first contribution - [@redondos](https://github.com/redondos) made their first contribution - [@bogo22](https://github.com/bogo22) made their first contribution - [@jabloink](https://github.com/jabloink) made their first contribution - [@YakGravity](https://github.com/YakGravity) made their first contribution - [@dj0024javia](https://github.com/dj0024javia) made their first contribution - [@Jerra94](https://github.com/Jerra94) made their first contribution - [@its-wizza](https://github.com/its-wizza) made their first contribution - [@ventiph](https://github.com/ventiph) made their first contribution - [@RinZ27](https://github.com/RinZ27) made their first contribution </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://git.erwanleboucher.dev/eleboucher/homelab/pulls/187 Co-authored-by: bot-owl <bot@erwanleboucher.dev> Co-committed-by: bot-owl <bot@erwanleboucher.dev>

)

RinZ27 requested a review from a team as a code owner February 20, 2026 14:46

gauthier-th requested a review from Copilot February 21, 2026 13:58

Copilot started reviewing on behalf of gauthier-th February 21, 2026 13:59 View session

gauthier-th reviewed Feb 21, 2026

View reviewed changes

Comment thread server/routes/imageproxy.ts Outdated

Copilot AI reviewed Feb 21, 2026

View reviewed changes

Comment thread server/routes/imageproxy.ts Outdated

RinZ27 force-pushed the feat/imageproxy-guardrails branch from 748e6d0 to 1e54d07 Compare February 22, 2026 04:58

RinZ27 requested a review from gauthier-th February 23, 2026 03:38

gauthier-th requested changes Feb 23, 2026

View reviewed changes

Comment thread server/routes/imageproxy.ts Outdated

feat: add path validation guardrail to imageproxy

85ebf66

RinZ27 force-pushed the feat/imageproxy-guardrails branch from 1e54d07 to 85ebf66 Compare February 23, 2026 10:27

gauthier-th changed the title ~~feat: add path validation guardrail to imageproxy~~ fix(proxy): add path validation guardrail to imageproxy Feb 23, 2026

gauthier-th approved these changes Feb 23, 2026

View reviewed changes

fallenbagel approved these changes Feb 27, 2026

View reviewed changes

fallenbagel merged commit e086081 into seerr-team:develop Feb 27, 2026
11 checks passed

RinZ27 deleted the feat/imageproxy-guardrails branch February 28, 2026 04:32

gwlsn pushed a commit to gwlsn/seerr that referenced this pull request Mar 21, 2026

fix(proxy): add path validation guardrail to imageproxy (seerr-team#2531

4a186e2

)

coderabbitai Bot mentioned this pull request Mar 26, 2026

refactor: extract hardcoded route paths into shared constants #2762

Closed

7 tasks

ecsousa pushed a commit to ecsousa/seerr that referenced this pull request Apr 5, 2026

fix(proxy): add path validation guardrail to imageproxy (seerr-team#2531

a9a4fb8

)

lucianchauvin pushed a commit to lucianchauvin/jellyseerr that referenced this pull request Apr 20, 2026

fix(proxy): add path validation guardrail to imageproxy (seerr-team#2531

bf8ecfd

)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(proxy): add path validation guardrail to imageproxy#2531

fix(proxy): add path validation guardrail to imageproxy#2531
fallenbagel merged 1 commit intoseerr-team:developfrom
RinZ27:feat/imageproxy-guardrails

RinZ27 commented Feb 20, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

coderabbitai Bot commented Feb 20, 2026 •

edited

Loading

Walkthrough

Changes

Estimated code review effort

Poem

Uh oh!

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

RinZ27 commented Feb 23, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Uh oh!

Conversation

RinZ27 commented Feb 20, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

How Has This Been Tested?

Checklist:

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented Feb 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Poem

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

RinZ27 commented Feb 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

RinZ27 commented Feb 20, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Feb 20, 2026 •

edited

Loading

RinZ27 commented Feb 23, 2026 •

edited

Loading