fix: sanitize artist, album, and mbid inputs for cover image retrieval

src/index.ts

@@ -27,22 +27,31 @@ async function get_image_from_server(
   album: string,
   mbid: string,
 ) {
-  const MBFilePath = `public/covers/mb/${mbid}.png`;
+  const safeArtist = artist
-  const iTunesFilePath = `public/covers/itunes/${artist}/${album}.png`;
+    .replace(/[^a-zA-Z0-9_\-\.\u0400-\u04FF\s]/g, "")
+    .trim();
+  const safeAlbum = album
+    .replace(/[^a-zA-Z0-9_\-\.\u0400-\u04FF\s]/g, "")
+    .trim();
+  const safeMbid = mbid.replace(/[^a-zA-Z0-9\-]/g, "");
+
+  const MBFilePath = `public/covers/mb/${safeMbid}.png`;
+  const iTunesFilePath = `public/covers/itunes/${safeArtist}/${safeAlbum}.png`;
 
   let resultFilePath = MBFilePath;
 
-  if (fs.existsSync(MBFilePath) || fs.existsSync(iTunesFilePath)) {
+  if (fs.existsSync(MBFilePath)) {
-    if (fs.existsSync(MBFilePath)) resultFilePath = MBFilePath;
+    resultFilePath = MBFilePath;
-    else resultFilePath = iTunesFilePath;
+  } else if (fs.existsSync(iTunesFilePath)) {
-    console.log("[DEBUG]: cover found on server");
+    resultFilePath = iTunesFilePath;
   } else {
     try {
       await download_image_from_itunes(artist, album);
       resultFilePath = iTunesFilePath;
     } catch (first_error) {
       try {
-        await download_image_from_caa(mbid);
+        if (safeMbid && safeMbid != "0") await download_image_from_caa(mbid);
+        else throw first_error;
         resultFilePath = MBFilePath;
       } catch (secong_error) {
         console.error(
@@ -50,7 +59,6 @@ async function get_image_from_server(
           first_error,
           secong_error,
         );
-        // resultFilePath = "public/covers/0.png";
         throw Error("cover not found");
       }
     }