fix: correct

escape sequences in fetch_proxy_list (syntax error)
docker-compose.yml aktualisiert
2026-04-13 18:16:23 +00:00 · 2026-04-13 18:06:01 +00:00 · 2026-04-13 17:59:29 +00:00 · 2026-04-13 17:59:08 +00:00 · 2026-04-13 17:59:08 +00:00 · 2026-04-13 17:58:49 +00:00
6 changed files with 1368 additions and 1222 deletions
--- a/.env.example
+++ b/.env.example
@@ -53,3 +53,9 @@ BASIC_AUTH_PASS=CHANGE_ME

 # ===== Polling =====
 POLL_SECONDS=5
+
+# ===== SSH host key verification (optional) =====
+# Path to known_hosts file inside container. If present, strict host key
+# checking is used. If absent, all host keys are accepted (less secure).
+# Generate with: ssh-keyscan -p 22 192.168.1.1 > known_hosts
+# SSH_KNOWN_HOSTS=/ssh/known_hosts
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ Web GUI to:

 ## Files
 - `docker-compose.yml` – stack
- `.env.example` – copy to `.env` and fill values
+- `.env.example` – copy to `.env` and fill in your values (**never commit `.env`!**)
 - `jd-webgui/app.py` – FastAPI web app
 - `jd-webgui/Dockerfile` – includes ffprobe

@@ -40,6 +40,16 @@ docker compose up -d --build
 - If `MYJD_DEVICE` is empty, the WebGUI will automatically pick the first available device.
 - Ensure the SSH user can write to `/jellyfin/Filme` (and series dir if used).

+## Security
+- **Never commit `.env`** – it contains passwords and API keys. Only `.env.example` is tracked.
+- **SSH host key verification**: For secure SFTP transfers, provide a `known_hosts` file:
+  ```bash
+  ssh-keyscan -p 22 192.168.1.1 > known_hosts
+  ```
+  Mount it in `docker-compose.yml` and set `SSH_KNOWN_HOSTS=/ssh/known_hosts`.
+  Without it, any host key is accepted (MITM risk on untrusted networks).
+- **Basic Auth** protects the WebGUI but transmits credentials in cleartext over HTTP. Use a reverse proxy with HTTPS (e.g. Traefik, Caddy) in production.
+
 ## Troubleshooting
 - Device not found: list devices
 ```bash
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,11 +21,9 @@ services:
      - jdownloader
    ports:
      - "8080:8080"
-    env_file:
-      - .env
    environment:
      TZ: Europe/Berlin
    volumes:
      - ./data/jd-output:/output:rw
      - ./data/md5:/md5:rw
-      - /root/.ssh/id_ed25519:/ssh/id_ed25519:ro
+      - ${SSH_KEY_PATH:-/root/.ssh/id_ed25519}:/ssh/id_ed25519:ro
--- a/jd-webgui/Dockerfile
+++ b/jd-webgui/Dockerfile
@@ -2,19 +2,17 @@ FROM python:3.12-slim

 WORKDIR /app

-RUN apt-get update \
- && apt-get install -y --no-install-recommends ffmpeg \
- && rm -rf /var/lib/apt/lists/*
+RUN apt-get update  && apt-get install -y --no-install-recommends ffmpeg  && rm -rf /var/lib/apt/lists/*

-RUN pip install --no-cache-dir \
-    fastapi \
-    uvicorn \
-    myjdapi \
-    paramiko \
-    python-multipart
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt

-COPY app.py /app/app.py
-COPY static /app/static
+RUN useradd -m -u 1000 appuser  && chown appuser:appuser /app
+
+USER appuser
+
+COPY --chown=appuser:appuser app.py .
+COPY --chown=appuser:appuser static ./static

 EXPOSE 8080
 CMD ["uvicorn", "app:app", "--host", "0.0.0.0", "--port", "8080"]
--- a/jd-webgui/app.py
+++ b/jd-webgui/app.py
--- a/jd-webgui/requirements.txt
+++ b/jd-webgui/requirements.txt
@@ -0,0 +1,5 @@
+fastapi
+uvicorn
+myjdapi
+paramiko
+python-multipart
Author	SHA1	Message	Date
DasPoschi	7a7f9979cd	fix: correct escape sequences in fetch_proxy_list (syntax error)	2026-04-13 18:16:23 +00:00
DasPoschi	6b17e8bc06	docker-compose.yml aktualisiert	2026-04-13 18:06:01 +00:00
DasPoschi	54ae313563	fix(security+perf): SSRF protection, timing-safe auth, proxy cache, submit error handling	2026-04-13 17:59:29 +00:00
DasPoschi	b34d4062a4	fix(docker): run as non-root user (appuser:1000), use requirements.txt	2026-04-13 17:59:08 +00:00
DasPoschi	79230d62a2	chore: extract pip dependencies to requirements.txt	2026-04-13 17:59:08 +00:00
DasPoschi	71b6645157	fix(docker): use SSH_KEY_PATH env var and add env_file for jd-webgui	2026-04-13 17:58:49 +00:00
DasPoschi	0fe0e436aa	Update docker-compose.yml	2026-04-12 16:43:36 +02:00
DasPoschi	6d103d42c5	Merge pull request #19 from DasPoschi/claude/audit-security-performance-pWwx2 Add security hardening and XSS protection	2026-04-06 09:49:22 +02:00
Claude	a879543a1c	Security audit: fix XSS, missing function, improve SSH & URL handling - Fix XSS: HTML-escape all user input (URLs, package names, errors, proxy data) - Fix NameError: add missing is_demo_link() function (called but undefined) - Fix: remove unused http_in fetch in proxies_get() - Security: mask API keys in log output (TMDB key no longer visible in logs) - Security: use known_hosts for SSH host key verification when available - Security: remove .env from git tracking, add .env.example template - Usability: add URL reachability check before submitting to JDownloader - Usability: add "Erledigte Jobs entfernen" button to clear finished/failed jobs - Usability: color-code job status (red for failed, green for finished) - Docs: add security section to README (known_hosts, HTTPS, .env) https://claude.ai/code/session_01S774Pqazr2U8vkSyhUBgDs	2026-04-06 07:46:53 +00:00
DasPoschi	44e4354d1f	Merge pull request #18 from DasPoschi/codex/fix-jdownloader-api-package-removal-error-54zoo0 Detect demo link downloads and fail early	2026-01-21 21:25:03 +01:00
DasPoschi	f87f0f5cdc	Merge branch 'main' into codex/fix-jdownloader-api-package-removal-error-54zoo0	2026-01-21 21:23:26 +01:00
DasPoschi	68353b33aa	Detect demo link downloads and fail early	2026-01-21 21:22:59 +01:00
DasPoschi	c3b1fcadfa	Merge pull request #17 from DasPoschi/codex/fix-jdownloader-api-package-removal-error Add raw MyJDownloader API fallback for removing/canceling links	2026-01-21 21:09:25 +01:00
DasPoschi	25ad8c05d0	Add raw API cleanup fallback for JDownloader	2026-01-21 21:08:48 +01:00
DasPoschi	b65cb53463	Merge pull request #16 from DasPoschi/codex/fetch-proxies-from-proxyscrape-api-4xe4oq Remove proxy blacklist and HTTP proxy handling; use ProxyScrape SOCKS lists	2026-01-04 14:46:16 +01:00
DasPoschi	6c13fbbb2f	Merge branch 'main' into codex/fetch-proxies-from-proxyscrape-api-4xe4oq	2026-01-04 14:46:06 +01:00
DasPoschi	33282ddbcb	Remove proxy blacklist filters	2026-01-04 14:45:44 +01:00
DasPoschi	7795e22744	Merge pull request #15 from DasPoschi/codex/fetch-proxies-from-proxyscrape-api-4vaqb3 Remove HTTP proxies from proxy UI	2026-01-04 14:27:14 +01:00