Update author & library item image endpoints to clamp width/height query params

server/controllers/AuthorController.js

@@ -10,7 +10,7 @@ const CacheManager = require('../managers/CacheManager')
 const CoverManager = require('../managers/CoverManager')
 const AuthorFinder = require('../finders/AuthorFinder')
 
-const { reqSupportsWebp, isValidASIN } = require('../utils/index')
+const { reqSupportsWebp, isValidASIN, clampPositiveInt } = require('../utils/index')
 
 const naturalSort = createNewSortInstance({
   comparer: new Intl.Collator(undefined, { numeric: true, sensitivity: 'base' }).compare
@@ -412,8 +412,8 @@ class AuthorController {
 
     const options = {
       format: format || (reqSupportsWebp(req) ? 'webp' : 'jpeg'),
-      height: height ? parseInt(height) : null,
-      width: width ? parseInt(width) : null
+      height: clampPositiveInt(height ? parseInt(height) : null, 4096),
+      width: clampPositiveInt(width ? parseInt(width) : null, 4096)
     }
     return CacheManager.handleAuthorCache(res, authorId, options)
   }

server/controllers/LibraryItemController.js

@@ -7,7 +7,7 @@ const SocketAuthority = require('../SocketAuthority')
 const Database = require('../Database')
 
 const zipHelpers = require('../utils/zipHelpers')
-const { reqSupportsWebp } = require('../utils/index')
+const { reqSupportsWebp, clampPositiveInt } = require('../utils/index')
 const { ScanResult, AudioMimeType } = require('../utils/constants')
 const { getAudioMimeTypeFromExtname, encodeUriPath } = require('../utils/fileUtils')
 const LibraryItemScanner = require('../scanner/LibraryItemScanner')
@@ -398,8 +398,8 @@ class LibraryItemController {
 
     const options = {
       format: format || (reqSupportsWebp(req) ? 'webp' : 'jpeg'),
-      height: height ? parseInt(height) : null,
-      width: width ? parseInt(width) : null
+      height: clampPositiveInt(height ? parseInt(height) : null, 4096),
+      width: clampPositiveInt(width ? parseInt(width) : null, 4096)
     }
     return CacheManager.handleCoverCache(res, libraryItemId, options)
   }

server/utils/index.js

@@ -54,6 +54,16 @@ module.exports.isNullOrNaN = (num) => {
   return num === null || isNaN(num)
 }
 
+/**
+ * @param {number|null|undefined} value
+ * @param {number} max
+ * @returns {number|null}
+ */
+module.exports.clampPositiveInt = (value, max) => {
+  if (value == null || !Number.isFinite(value) || value <= 0) return null
+  return Math.min(Math.floor(value), max)
+}
+
 const xmlToJSON = (xml) => {
   return new Promise((resolve, reject) => {
     parseString(xml, (err, results) => {