@involvex/youtube-music-cli 0.0.22 → 0.0.23
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +2 -0
- package/dist/source/services/scrobbling/scrobbling.service.js +1 -1
- package/dist/source/services/web/static-file.service.d.ts +1 -0
- package/dist/source/services/web/static-file.service.js +24 -2
- package/dist/youtube-music-cli.exe +0 -0
- package/package.json +1 -1
- package/readme.md +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
// Static file serving service for web UI
|
|
2
2
|
import { readFile } from 'node:fs/promises';
|
|
3
3
|
import { existsSync } from 'node:fs';
|
|
4
|
-
import { extname, join, dirname } from 'node:path';
|
|
4
|
+
import { extname, join, dirname, normalize, resolve, sep } from 'node:path';
|
|
5
5
|
import { fileURLToPath } from 'node:url';
|
|
6
6
|
import { logger } from "../logger/logger.service.js";
|
|
7
7
|
const MIME_TYPES = {
|
|
@@ -55,6 +55,23 @@ class StaticFileService {
|
|
|
55
55
|
const ext = extname(filePath).toLowerCase();
|
|
56
56
|
return MIME_TYPES[ext] || 'application/octet-stream';
|
|
57
57
|
}
|
|
58
|
+
resolveSafeFilePath(urlPath) {
|
|
59
|
+
let decodedPath;
|
|
60
|
+
try {
|
|
61
|
+
decodedPath = decodeURIComponent(urlPath);
|
|
62
|
+
}
|
|
63
|
+
catch {
|
|
64
|
+
return null;
|
|
65
|
+
}
|
|
66
|
+
const relativePath = normalize(decodedPath).replace(/^[\\/]+/, '');
|
|
67
|
+
const rootPath = resolve(this.webDistDir);
|
|
68
|
+
const resolvedPath = resolve(rootPath, relativePath);
|
|
69
|
+
const rootPrefix = rootPath.endsWith(sep) ? rootPath : `${rootPath}${sep}`;
|
|
70
|
+
if (resolvedPath !== rootPath && !resolvedPath.startsWith(rootPrefix)) {
|
|
71
|
+
return null;
|
|
72
|
+
}
|
|
73
|
+
return resolvedPath;
|
|
74
|
+
}
|
|
58
75
|
/**
|
|
59
76
|
* Load index.html into memory
|
|
60
77
|
*/
|
|
@@ -111,7 +128,12 @@ class StaticFileService {
|
|
|
111
128
|
return;
|
|
112
129
|
}
|
|
113
130
|
// Serve static files
|
|
114
|
-
const filePath =
|
|
131
|
+
const filePath = this.resolveSafeFilePath(urlPath);
|
|
132
|
+
if (!filePath) {
|
|
133
|
+
res.writeHead(400, { 'Content-Type': 'text/plain' });
|
|
134
|
+
res.end('Bad Request');
|
|
135
|
+
return;
|
|
136
|
+
}
|
|
115
137
|
try {
|
|
116
138
|
// Check if file exists
|
|
117
139
|
if (!existsSync(filePath)) {
|
|
Binary file
|
package/package.json
CHANGED
package/readme.md
CHANGED
|
@@ -105,7 +105,7 @@ brew install involvex/youtube-music-cli/youtube-music-cli
|
|
|
105
105
|
winget install Involvex.YoutubeMusicCLI
|
|
106
106
|
```
|
|
107
107
|
|
|
108
|
-
> Maintainers: tag pushes trigger `.github/workflows/homebrew-publish.yml` and `.github/workflows/winget-publish.yml`. Set `WINGETCREATE_TOKEN` and make sure `Involvex.YoutubeMusicCLI` exists in winget-pkgs for automated updates.
|
|
108
|
+
> Maintainers: tag pushes trigger `.github/workflows/homebrew-publish.yml` and `.github/workflows/winget-publish.yml`. Homebrew uses the tap format `involvex/youtube-music-cli/youtube-music-cli`, so ensure the formula file exists on the default branch at `Formula/youtube-music-cli.rb` for the tap installation to work. Set `WINGETCREATE_TOKEN` and make sure `Involvex.YoutubeMusicCLI` exists in winget-pkgs for automated updates.
|
|
109
109
|
|
|
110
110
|
### From Source
|
|
111
111
|
|