chore(listenbrainz): blacklist non-coverartarchive urls for cover endpoint

SapphoSys · SapphoSys · commit aa93d200a8fa · 2025-10-11T18:18:41.000+05:00
diff --git a/src/pages/api/listenbrainz/cover.ts b/src/pages/api/listenbrainz/cover.ts
@@ -32,7 +32,9 @@ export const GET: APIRoute = async ({ url }) => {
   const imageUrl = url.searchParams.get('url');
   const wantBlurhash = url.searchParams.get('blurhash') === 'true';
 
-  if (!imageUrl || !/^https?:\/\//.test(imageUrl)) {
+  // Only allow Cover Art Archive URLs
+  const coverArtArchivePattern = /^https?:\/\/(?:[^.]+\.)?coverartarchive\.org\//i;
+  if (!imageUrl || !coverArtArchivePattern.test(imageUrl)) {
     return new Response('Missing or invalid url parameter', { status: 400 });
   }
 

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,9 @@ export const GET: APIRoute = async ({ url }) => {`
`32`	`32`	`const imageUrl = url.searchParams.get('url');`
`33`	`33`	`const wantBlurhash = url.searchParams.get('blurhash') === 'true';`
`34`	`34`
`35`		`- if (!imageUrl \|\| !/^https?:\/\//.test(imageUrl)) {`
	`35`	`+ // Only allow Cover Art Archive URLs`
	`36`	`+ const coverArtArchivePattern = /^https?:\/\/(?:[^.]+\.)?coverartarchive\.org\//i;`
	`37`	`+ if (!imageUrl \|\| !coverArtArchivePattern.test(imageUrl)) {`
`36`	`38`	`return new Response('Missing or invalid url parameter', { status: 400 });`
`37`	`39`	`}`
`38`	`40`