fix: correct

escape sequences in fetch_proxy_list (syntax error)
docker-compose.yml aktualisiert
2026-04-13 18:16:23 +00:00 · 2026-04-13 18:06:01 +00:00 · 2026-04-13 17:59:29 +00:00 · 2026-04-13 17:59:08 +00:00 · 2026-04-13 17:59:08 +00:00 · 2026-04-13 17:58:49 +00:00
7 changed files with 1369 additions and 1062 deletions
--- a/.env.example
+++ b/.env.example
@@ -53,3 +53,9 @@ BASIC_AUTH_PASS=CHANGE_ME

 # ===== Polling =====
 POLL_SECONDS=5
+
+# ===== SSH host key verification (optional) =====
+# Path to known_hosts file inside container. If present, strict host key
+# checking is used. If absent, all host keys are accepted (less secure).
+# Generate with: ssh-keyscan -p 22 192.168.1.1 > known_hosts
+# SSH_KNOWN_HOSTS=/ssh/known_hosts
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ Web GUI to:

 ## Files
 - `docker-compose.yml` – stack
- `.env.example` – copy to `.env` and fill values
+- `.env.example` – copy to `.env` and fill in your values (**never commit `.env`!**)
 - `jd-webgui/app.py` – FastAPI web app
 - `jd-webgui/Dockerfile` – includes ffprobe

@@ -40,6 +40,16 @@ docker compose up -d --build
 - If `MYJD_DEVICE` is empty, the WebGUI will automatically pick the first available device.
 - Ensure the SSH user can write to `/jellyfin/Filme` (and series dir if used).

+## Security
+- **Never commit `.env`** – it contains passwords and API keys. Only `.env.example` is tracked.
+- **SSH host key verification**: For secure SFTP transfers, provide a `known_hosts` file:
+  ```bash
+  ssh-keyscan -p 22 192.168.1.1 > known_hosts
+  ```
+  Mount it in `docker-compose.yml` and set `SSH_KNOWN_HOSTS=/ssh/known_hosts`.
+  Without it, any host key is accepted (MITM risk on untrusted networks).
+- **Basic Auth** protects the WebGUI but transmits credentials in cleartext over HTTP. Use a reverse proxy with HTTPS (e.g. Traefik, Caddy) in production.
+
 ## Troubleshooting
 - Device not found: list devices
 ```bash
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,11 +21,9 @@ services:
      - jdownloader
    ports:
      - "8080:8080"
-    env_file:
-      - .env
    environment:
      TZ: Europe/Berlin
    volumes:
      - ./data/jd-output:/output:rw
      - ./data/md5:/md5:rw
-      - /root/.ssh/id_ed25519:/ssh/id_ed25519:ro
+      - ${SSH_KEY_PATH:-/root/.ssh/id_ed25519}:/ssh/id_ed25519:ro
--- a/jd-webgui/Dockerfile
+++ b/jd-webgui/Dockerfile
@@ -2,19 +2,17 @@ FROM python:3.12-slim

 WORKDIR /app

-RUN apt-get update \
- && apt-get install -y --no-install-recommends ffmpeg \
- && rm -rf /var/lib/apt/lists/*
+RUN apt-get update  && apt-get install -y --no-install-recommends ffmpeg  && rm -rf /var/lib/apt/lists/*

-RUN pip install --no-cache-dir \
-    fastapi \
-    uvicorn \
-    myjdapi \
-    paramiko \
-    python-multipart
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt

-COPY app.py /app/app.py
-COPY static /app/static
+RUN useradd -m -u 1000 appuser  && chown appuser:appuser /app
+
+USER appuser
+
+COPY --chown=appuser:appuser app.py .
+COPY --chown=appuser:appuser static ./static

 EXPOSE 8080
 CMD ["uvicorn", "app:app", "--host", "0.0.0.0", "--port", "8080"]
--- a/jd-webgui/app.py
+++ b/jd-webgui/app.py
--- a/jd-webgui/requirements.txt
+++ b/jd-webgui/requirements.txt
@@ -0,0 +1,5 @@
+fastapi
+uvicorn
+myjdapi
+paramiko
+python-multipart
--- a/jd-webgui/static/style.css
+++ b/jd-webgui/static/style.css
@@ -19,3 +19,4 @@ code { font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace; fo
 .progress-row { display:flex; align-items:center; gap:8px; margin-top:6px; }
 .progress-text { font-size:12px; color:#333; min-width:48px; }
 .inline-form { margin-top:6px; }
+.log-area { width:100%; max-width: 920px; padding:10px; border:1px solid #ccc; border-radius:8px; background:#fff; }
Author	SHA1	Message	Date
DasPoschi	7a7f9979cd	fix: correct escape sequences in fetch_proxy_list (syntax error)	2026-04-13 18:16:23 +00:00
DasPoschi	6b17e8bc06	docker-compose.yml aktualisiert	2026-04-13 18:06:01 +00:00
DasPoschi	54ae313563	fix(security+perf): SSRF protection, timing-safe auth, proxy cache, submit error handling	2026-04-13 17:59:29 +00:00
DasPoschi	b34d4062a4	fix(docker): run as non-root user (appuser:1000), use requirements.txt	2026-04-13 17:59:08 +00:00
DasPoschi	79230d62a2	chore: extract pip dependencies to requirements.txt	2026-04-13 17:59:08 +00:00
DasPoschi	71b6645157	fix(docker): use SSH_KEY_PATH env var and add env_file for jd-webgui	2026-04-13 17:58:49 +00:00
DasPoschi	0fe0e436aa	Update docker-compose.yml	2026-04-12 16:43:36 +02:00
DasPoschi	6d103d42c5	Merge pull request #19 from DasPoschi/claude/audit-security-performance-pWwx2 Add security hardening and XSS protection	2026-04-06 09:49:22 +02:00
Claude	a879543a1c	Security audit: fix XSS, missing function, improve SSH & URL handling - Fix XSS: HTML-escape all user input (URLs, package names, errors, proxy data) - Fix NameError: add missing is_demo_link() function (called but undefined) - Fix: remove unused http_in fetch in proxies_get() - Security: mask API keys in log output (TMDB key no longer visible in logs) - Security: use known_hosts for SSH host key verification when available - Security: remove .env from git tracking, add .env.example template - Usability: add URL reachability check before submitting to JDownloader - Usability: add "Erledigte Jobs entfernen" button to clear finished/failed jobs - Usability: color-code job status (red for failed, green for finished) - Docs: add security section to README (known_hosts, HTTPS, .env) https://claude.ai/code/session_01S774Pqazr2U8vkSyhUBgDs	2026-04-06 07:46:53 +00:00
DasPoschi	44e4354d1f	Merge pull request #18 from DasPoschi/codex/fix-jdownloader-api-package-removal-error-54zoo0 Detect demo link downloads and fail early	2026-01-21 21:25:03 +01:00
DasPoschi	f87f0f5cdc	Merge branch 'main' into codex/fix-jdownloader-api-package-removal-error-54zoo0	2026-01-21 21:23:26 +01:00
DasPoschi	68353b33aa	Detect demo link downloads and fail early	2026-01-21 21:22:59 +01:00
DasPoschi	c3b1fcadfa	Merge pull request #17 from DasPoschi/codex/fix-jdownloader-api-package-removal-error Add raw MyJDownloader API fallback for removing/canceling links	2026-01-21 21:09:25 +01:00
DasPoschi	25ad8c05d0	Add raw API cleanup fallback for JDownloader	2026-01-21 21:08:48 +01:00
DasPoschi	b65cb53463	Merge pull request #16 from DasPoschi/codex/fetch-proxies-from-proxyscrape-api-4xe4oq Remove proxy blacklist and HTTP proxy handling; use ProxyScrape SOCKS lists	2026-01-04 14:46:16 +01:00
DasPoschi	6c13fbbb2f	Merge branch 'main' into codex/fetch-proxies-from-proxyscrape-api-4xe4oq	2026-01-04 14:46:06 +01:00
DasPoschi	33282ddbcb	Remove proxy blacklist filters	2026-01-04 14:45:44 +01:00
DasPoschi	7795e22744	Merge pull request #15 from DasPoschi/codex/fetch-proxies-from-proxyscrape-api-4vaqb3 Remove HTTP proxies from proxy UI	2026-01-04 14:27:14 +01:00
DasPoschi	e83f1323cd	Merge branch 'main' into codex/fetch-proxies-from-proxyscrape-api-4vaqb3	2026-01-04 14:27:07 +01:00
DasPoschi	194b16e09c	Remove HTTP proxies from UI	2026-01-04 14:26:36 +01:00
DasPoschi	423e8e28ec	Merge pull request #14 from DasPoschi/codex/fetch-proxies-from-proxyscrape-api Use ProxyScrape API for SOCKS lists and normalize single-line responses	2026-01-04 14:20:54 +01:00
DasPoschi	daeee039fa	Update proxy sources for socks lists	2026-01-04 14:20:38 +01:00
DasPoschi	97a5afbee9	Update app.py	2026-01-03 23:09:10 +01:00
DasPoschi	a2de578087	Merge pull request #13 from DasPoschi/codex/configure-proxies-for-downloads-only-r44dl5 Add *.your-server.de to proxy blacklist	2026-01-03 23:04:38 +01:00
DasPoschi	c3aac479fe	Merge branch 'main' into codex/configure-proxies-for-downloads-only-r44dl5	2026-01-03 22:56:21 +01:00
DasPoschi	1350b50199	Add your-server.de to proxy blacklist	2026-01-03 22:55:54 +01:00
DasPoschi	6b06134edf	Merge pull request #12 from DasPoschi/codex/configure-proxies-for-downloads-only Bypass proxies for internal HTTP calls	2026-01-03 22:43:36 +01:00
DasPoschi	be4785b04a	Bypass proxies for non-download requests	2026-01-03 22:42:49 +01:00
DasPoschi	db39f2b55e	Merge pull request #11 from DasPoschi/codex/add-proxy-list-import-function-3g187r Refresh jobs table via `/jobs` endpoint instead of full page reload	2026-01-01 22:23:09 +01:00
DasPoschi	a0e7ed91c7	Update jobs progress without full reload	2026-01-01 22:22:41 +01:00
DasPoschi	7443a0e0ca	Merge pull request #10 from DasPoschi/codex/add-proxy-list-import-function-g3956j Add JDProxies blacklist filters and save/export support	2026-01-01 22:12:53 +01:00
DasPoschi	3cf7581797	Merge branch 'main' into codex/add-proxy-list-import-function-g3956j	2026-01-01 22:12:44 +01:00
DasPoschi	e9ccb51f13	Add JDProxies blacklist filters	2026-01-01 22:12:10 +01:00
DasPoschi	a549ba66ba	Merge pull request #9 from DasPoschi/codex/add-proxy-list-import-function-q1akx1 Write JDProxies JSON export and add save endpoint/UI	2026-01-01 21:27:20 +01:00
DasPoschi	f1267a46a1	Merge branch 'main' into codex/add-proxy-list-import-function-q1akx1	2026-01-01 21:27:13 +01:00
DasPoschi	9baf87cc33	Write jdproxies JSON export format	2026-01-01 21:26:47 +01:00
DasPoschi	d57948af82	Merge pull request #8 from DasPoschi/codex/add-proxy-list-import-function-p0zu8g Export proxies as .jdproxies and add save endpoint/UI	2026-01-01 21:06:59 +01:00
DasPoschi	93310e3d99	Merge branch 'main' into codex/add-proxy-list-import-function-p0zu8g	2026-01-01 21:06:52 +01:00
DasPoschi	00c72a78d2	Export proxies as jdproxies file	2026-01-01 21:04:41 +01:00
DasPoschi	2891466635	Merge pull request #7 from DasPoschi/codex/add-proxy-list-import-function Add proxy export file support for JDownloader	2026-01-01 20:57:12 +01:00