From e086081b19d65c463d0993e0660bd0524367aaa0 Mon Sep 17 00:00:00 2001
From: Rin <dangnhatrin90@gmail.com>
Date: Sat, 28 Feb 2026 02:14:05 +0700
Subject: [PATCH] fix(proxy): add path validation guardrail to imageproxy
 (#2531)

---
 server/routes/imageproxy.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/server/routes/imageproxy.ts b/server/routes/imageproxy.ts
index ac2fbe08..ede3e83e 100644
--- a/server/routes/imageproxy.ts
+++ b/server/routes/imageproxy.ts
@@ -32,6 +32,12 @@ function initTvdbImageProxy() {
 
 router.get('/:type/*', async (req, res) => {
   const imagePath = req.path.replace(/^\/\w+/, '');
+
+  if (imagePath.startsWith('//') || imagePath.includes('://')) {
+    logger.error('Invalid URL for image proxy', { imagePath });
+    return res.status(403).send('Invalid URL for image proxy');
+  }
+
   try {
     let imageData;
     if (req.params.type === 'tmdb') {