[FIX] a critical issue with Jackett

getumbrel / umbrel-apps

The official app repository of the Umbrel App Store. Submit apps and updates here. Learn how → https://github.com/getumbrel/umbrel-apps#readme

https://apps.umbrel.com

517 stars 381 forks source link

[FIX] a critical issue with Jackett #1051

Closed highghlow closed 5 months ago

highghlow commented 5 months ago

Jacket, in its Torznab feed sets the torrent url as http:///dl/..., which is protected by umbrel's app proxy. This PR removes protection for dl/*

(Based on app-proxy's source code, the whitelist can be separated with /[, ]*/)

highghlow commented 5 months ago

I have successfully downloaded a movie using Radarr after this change (before it there was an error)

mayankchhabra commented 5 months ago

Hey @highghlow! Thanks for your PR! I just wanted to jump in and say that we notice all your PRs and really appreciate it! Sorry for the delay, our engineering team has been backlogged heavily by some critical umbrelOS updates. We will get to reviewing your work this week.

highghlow commented 5 months ago

we notice all your PRs and really appreciate it!

Thanks :)

Sorry for the delay, our engineering team has been backlogged heavily by some critical umbrelOS updates. We will get to reviewing your work this week.

Yea, I understand it. I try to help where I can. (You made an awesome project, thank you!)

nmfretz commented 5 months ago

Hey @highghlow, thanks for this PR!

I don't have any issues using Jackett with Sonarr/Radarr as-is. Can you please do another test with the current app's configuration and let me know the exact steps to reproduce the issue?

We currently whitelist /api/* because that is how apps like Sonarr and Radarr communicate with Jackett. For example, the Torznab feed URL for EZTV is http://<your-devices-ip>:9117/api/v2.0/indexers/eztv/results/torznab/. This is what gets used by Sonarr for example. Where abouts does a request with http:///dl/... get sent to Jackett?

Thanks for bearing with me.

highghlow commented 5 months ago

Where abouts does a request with http:///dl/... get sent to Jackett?

Jacket in it's Torznab responses says that the torrent file url is:

http://${jackett_ip}:9117/dl/${tracker}/?jackett_apikey=${api_key}&path=${file_uid}&file=${filename}

This is useful when the tracker is private or needs a proxy.

When Sonarr, Radarr or my app try to download the torrent, they get the file from this url (and a login page is not a valid torrent file)

Thanks for bearing with me.

No problem : )

nmfretz commented 5 months ago

This is useful when the tracker is private or needs a proxy.

Ah wonderful, thanks for that explanation. I had only been testing with public indexers.

I have bumped Jackett to the latest version 0.21.2446, and updated the app manifest with version and release notes. The version line in the umbrel-app.yml is what tells umbrelOS that there is an update available for a user. If this is changed then a user will see an available update in the UI.

Thanks again @highghlow!