Fix Phase 5 review issues: SSTI, FK violation, sync rebuild

Fixes 5 issues identified by code-reviewer agent: 1. (Critical) EventLog.tracker_id now nullable - use None instead of 0 when tracker name doesn't match, avoiding FK constraint violations on PostgreSQL 2. (Critical) Replace jinja2.Environment with SandboxedEnvironment in all 3 server template rendering locations to prevent SSTI 3. (Important) Rebuild sync_client in _async_update_listener when server URL/key options change, propagate to all coordinators 4. (Important) Validate partial server config - require both URL and API key or neither, with clear error message 5. (Important) Name fire-and-forget sync task for debugging Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 14:17:59 +03:00
parent ab1c7ac0db
commit 43f83acda9
8 changed files with 22 additions and 8 deletions
--- a/packages/server/src/immich_watcher_server/api/sync.py
+++ b/packages/server/src/immich_watcher_server/api/sync.py
@@ -136,7 +136,7 @@ async def render_template(
        raise HTTPException(status_code=404, detail="Template not found")

    try:
-        env = jinja2.Environment(autoescape=False)
+        env = jinja2.sandbox.SandboxedEnvironment(autoescape=False)
        tmpl = env.from_string(template.body)
        rendered = tmpl.render(**body.context)
        return {"rendered": rendered}
@@ -161,7 +161,7 @@ async def report_event(
    tracker = result.first()

    event = EventLog(
-        tracker_id=tracker.id if tracker else 0,
+        tracker_id=tracker.id if tracker else None,
        event_type=body.event_type,
        album_id=body.album_id,
        album_name=body.album_name,
--- a/packages/server/src/immich_watcher_server/api/templates.py
+++ b/packages/server/src/immich_watcher_server/api/templates.py
@@ -124,7 +124,7 @@ async def preview_template(
    """Render a template with sample data."""
    template = await _get_user_template(session, template_id, user.id)
    try:
-        env = jinja2.Environment(autoescape=False)
+        env = jinja2.sandbox.SandboxedEnvironment(autoescape=False)
        tmpl = env.from_string(template.body)
        rendered = tmpl.render(**_SAMPLE_CONTEXT)
        return {"rendered": rendered}
--- a/packages/server/src/immich_watcher_server/database/models.py
+++ b/packages/server/src/immich_watcher_server/database/models.py
@@ -104,7 +104,7 @@ class EventLog(SQLModel, table=True):
    __tablename__ = "event_log"

    id: int | None = Field(default=None, primary_key=True)
-    tracker_id: int = Field(foreign_key="album_tracker.id")
+    tracker_id: int | None = Field(default=None, foreign_key="album_tracker.id")
    event_type: str
    album_id: str
    album_name: str
--- a/packages/server/src/immich_watcher_server/services/notifier.py
+++ b/packages/server/src/immich_watcher_server/services/notifier.py
@@ -24,7 +24,7 @@ DEFAULT_TEMPLATE = (

 def render_template(template_body: str, context: dict[str, Any]) -> str:
    """Render a Jinja2 template with the given context."""
-    env = jinja2.Environment(autoescape=False)
+    env = jinja2.sandbox.SandboxedEnvironment(autoescape=False)
    tmpl = env.from_string(template_body)
    return tmpl.render(**context)