mirror of
https://github.com/rommapp/romm.git
synced 2026-07-01 08:16:21 +00:00
Standard media fields (url_cover, url_manual, url_screenshots) were downloaded using the stored credential-less URLs, causing them to count against the anonymous IP quota instead of the user's SS account. Apply add_ss_auth_to_url() at each download call site in the scan and ROM update paths. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> fix(screenscraper): guard add_ss_auth_to_url against non-SS URLs Only inject ssid/sspassword into screenscraper.fr URLs to prevent leaking user credentials to third-party sources (IGDB, LaunchBox, etc.) when url_cover/url_manual/url_screenshots originate from other providers. Add tests for the non-SS no-op and empty-string edge cases. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> test(screenscraper): verify SS credentials injected for all media download paths - TestAddSsAuthToUrl: add guards for non-SS URLs (IGDB, LaunchBox) and empty string inputs - test_update_rom: verify ssid/sspassword appear in url_cover and url_manual args passed to get_cover/get_manual for screenscraper.fr URLs; verify IGDB URLs are NOT decorated with SS credentials - TestScanCredentialInjection: verify the scan-path ternary pattern correctly applies add_ss_auth_to_url to cover and screenshot URLs, and that a None cover URL passes through without error Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> test(screenscraper): empirical audit — every SS request carries ssid/sspassword Intercepts both HTTP clients at the transport/session level to verify that every outgoing screenscraper.fr request is decorated with the user's ssid and sspassword credentials: aiohttp (API calls via auth_middleware): - jeuInfos.php, jeuRecherche.php, ssinfraInfos.php, ssuserInfos.php httpx (media downloads via FSResourcesHandler): - get_cover → url_cover - get_manual → url_manual - get_rom_screenshots → url_screenshots (each URL) - store_media_file → extra media (fanart, bezel, etc.) Also verifies the domain guard: IGDB URLs passed through add_ss_auth_to_url are NOT decorated with SS credentials. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
41 KiB
41 KiB