From 6eebb77ae57b8dd9cda0f17aa132c3e5eae23f30 Mon Sep 17 00:00:00 2001
From: pax <paxxe@protonmail.com>
Date: Sat, 11 Apr 2026 16:10:12 -0500
Subject: [PATCH] =?UTF-8?q?security:=20fix=20#1=20=E2=80=94=20wire=20SSRF?=
 =?UTF-8?q?=20hook=20into=20BooruClient=20shared=20client?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds validate_public_request to the BooruClient event_hooks list so
every request (and every redirect hop) is checked against the block
list from _safety.py. Danbooru, Gelbooru, and Moebooru subclasses
all go through BooruClient.client and inherit the protection.

Preserves the existing _log_request hook by listing both hooks in
order: validate first (so blocked hops never reach the log), then
log.

Audit-Ref: SECURITY_AUDIT.md finding #1
Severity: High
---
 booru_viewer/core/api/base.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/booru_viewer/core/api/base.py b/booru_viewer/core/api/base.py
index ce02dee..d4c2347 100644
--- a/booru_viewer/core/api/base.py
+++ b/booru_viewer/core/api/base.py
@@ -12,6 +12,7 @@ import httpx
 
 from ..config import USER_AGENT, DEFAULT_PAGE_SIZE
 from ..cache import log_connection
+from ._safety import validate_public_request
 
 log = logging.getLogger("booru")
 
@@ -106,7 +107,12 @@ class BooruClient(ABC):
                     headers={"User-Agent": USER_AGENT},
                     follow_redirects=True,
                     timeout=20.0,
-                    event_hooks={"request": [self._log_request]},
+                    event_hooks={
+                        "request": [
+                            validate_public_request,
+                            self._log_request,
+                        ],
+                    },
                     limits=httpx.Limits(max_connections=10, max_keepalive_connections=5),
                 )
                 BooruClient._shared_client = c