2 changes: 2 additions & 0 deletions API/Controllers/UploadController.cs
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,8 @@ public async Task<ActionResult<string>> GetImageFromFile(UploadUrlDto dto)
if (string.IsNullOrEmpty(path) || !_directoryService.FileSystem.File.Exists(path))
return BadRequest($"Could not download file");

if (!await _imageService.IsImage(path)) return BadRequest("Url does not return a valid image");

return $"coverupload_{dateString}.{format}";
}
catch (FlurlHttpException ex)
Expand Down
6 changes: 3 additions & 3 deletions API/Data/Repositories/ReadingListRepository.cs
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ public interface IReadingListRepository
Task<IEnumerable<ReadingListItemDto>> GetReadingListItemDtosByIdAsync(int readingListId, int userId);
Task<ReadingListDto> GetReadingListDtoByIdAsync(int readingListId, int userId);
Task<IEnumerable<ReadingListItemDto>> AddReadingProgressModifiers(int userId, IList<ReadingListItemDto> items);
Task<ReadingListDto> GetReadingListDtoByTitleAsync(string title);
Task<ReadingListDto> GetReadingListDtoByTitleAsync(int userId, string title);
Task<IEnumerable<ReadingListItem>> GetReadingListItemsByIdAsync(int readingListId);

Task<IEnumerable<ReadingListDto>> GetReadingListDtosForSeriesAndUserAsync(int userId, int seriesId,
Expand Down Expand Up @@ -211,10 +211,10 @@ public async Task<IEnumerable<ReadingListItemDto>> AddReadingProgressModifiers(i
return items;
}

public async Task<ReadingListDto> GetReadingListDtoByTitleAsync(string title)
public async Task<ReadingListDto> GetReadingListDtoByTitleAsync(int userId, string title)
{
return await _context.ReadingList
.Where(r => r.Title.Equals(title))
.Where(r => r.Title.Equals(title) && r.AppUserId == userId)
.ProjectTo<ReadingListDto>(_mapper.ConfigurationProvider)
.SingleOrDefaultAsync();
}
Expand Down
8 changes: 7 additions & 1 deletion API/Extensions/IdentityServiceExtensions.cs
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
using System.Text;
using System;
using System.Text;
using System.Threading.Tasks;
using API.Constants;
using API.Data;
Expand Down Expand Up @@ -32,6 +33,11 @@ public static IServiceCollection AddIdentityServices(this IServiceCollection ser
opt.Password.RequiredLength = 6;

opt.SignIn.RequireConfirmedEmail = true;

opt.Lockout.AllowedForNewUsers = true;
opt.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(10);
opt.Lockout.MaxFailedAccessAttempts = 5;

})
.AddTokenProvider<DataProtectorTokenProvider<AppUser>>(TokenOptions.DefaultProvider)
.AddRoles<AppRole>()
Expand Down
19 changes: 19 additions & 0 deletions API/Services/ImageService.cs
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ public interface IImageService
/// <param name="filePath">Full path to the image to convert</param>
/// <returns>File of written webp image</returns>
Task<string> ConvertToWebP(string filePath, string outputPath);

Task<bool> IsImage(string filePath);
}

public class ImageService : IImageService
Expand Down Expand Up @@ -115,6 +117,23 @@ public async Task<string> ConvertToWebP(string filePath, string outputPath)
return outputFile;
}

public async Task<bool> IsImage(string filePath)
{
try
{
var info = await SixLabors.ImageSharp.Image.IdentifyAsync(filePath);
if (info == null) return false;

return true;
}
catch (Exception ex)
{
/* Swallow Exception */
}

return false;
}


/// <inheritdoc />
public string CreateThumbnailFromBase64(string encodedImage, string fileName)
Expand Down
2 changes: 1 addition & 1 deletion Kavita.Common/Kavita.Common.csproj
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<TargetFramework>net6.0</TargetFramework>
<Company>kavitareader.com</Company>
<Product>Kavita</Product>
<AssemblyVersion>0.5.4.0</AssemblyVersion>
<AssemblyVersion>0.5.4.1</AssemblyVersion>
<NeutralLanguage>en</NeutralLanguage>
</PropertyGroup>

Expand Down
7 changes: 5 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,12 @@ your reading collection with your friends and family!
- [x] Serve up Manga/Webtoons/Comics (cbr, cbz, zip/rar, 7zip, raw images) and Books (epub, pdf)
- [x] First class responsive readers that work great on any device (phone, tablet, desktop)
- [x] Dark mode and customizable theming support
- [ ] Provide hooks into metadata providers to fetch metadata for Comics, Manga, and Books
- [ ] Provide a plugin system to allow external metadata integration and scrobbling for read status, ratings, and reviews
- [x] Metadata should allow for collections, want to read integration from 3rd party services, genres.
- [x] Ability to manage users, access, and ratings
- [ ] Ability to sync ratings and reviews to external services
- [x] Fully Accessible with active accessibility audits
- [x] Dedicated webtoon reading mode
- [ ] Full localization support
- [ ] And so much [more...](https://github.com/Kareadita/Kavita/projects)

## Support
Expand Down Expand Up @@ -93,6 +93,9 @@ Thank you to [<img src="/Logo/jetbrains.svg" alt="" width="32"> JetBrains](http:
## Palace-Designs
We would like to extend a big thank you to [<img src="/Logo/hosting-sponsor.png" alt="" width="128">](https://www.palace-designs.com/) who hosts our infrastructure pro-bono.

## Huntr
We would like to extend a big thank you to [Huntr](https://huntr.dev/repos/kareadita/kavita) who has worked with Kavita in reporting security vulnerabilities. If you are interested in
being paid to help secure Kavita, please give them a try.

### License

Expand Down
10 changes: 10 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# Security Policy

## Supported Versions

Security is maintained on latest stable version only.

## Reporting a Vulnerability


Please reach out to majora2007 via our Discord or you can (and should) report your vulnerability via [Huntr](https://huntr.dev/repos/kareadita/kavita).