saulteafarmer/plebdevs
1
0
Fork 0
mirror of https://github.com/AustinKelsay/plebdevs.git synced 2025-06-06 18:31:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Security updates to image proxy

Browse Source
This commit is contained in:
austinkelsay 2024-09-25 11:22:45 -05:00
parent ca77e2674f
commit 24afd44409
1 changed files with 17 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/pages/api/image-proxy.js
View File

@ -12,14 +12,26 @@ export default async function handler(req, res) {
const response = await axios({ const response = await axios({
method: 'GET', method: 'GET',
url: imageUrl, url: imageUrl,
responseType: 'stream', responseType: 'arraybuffer',
timeout: 8000, // Set a timeout to prevent long-running requests
// limit the size of the response to 100MB
maxContentLength: 100 * 1024 * 1024,
}); });
// Forward the content type // Validate content type
res.setHeader('Content-Type', response.headers['content-type']); const contentType = response.headers['content-type'];
const allowedContentTypes = ['image/jpeg', 'image/png', 'image/gif', 'image/webp'];
if (!allowedContentTypes.includes(contentType)) {
return res.status(403).json({ error: 'Invalid content type' });
}
// Stream the image from the external source to the client // Set security headers
response.data.pipe(res); res.setHeader('Content-Security-Policy', "img-src 'self'; object-src 'none'");
res.setHeader('X-Content-Type-Options', 'nosniff');
// Set the content type and send the image data
res.setHeader('Content-Type', contentType);
res.send(response.data);
} catch (error) { } catch (error) {
console.error('Image proxy error:', error); console.error('Image proxy error:', error);
res.status(500).json({ error: 'Failed to fetch image' }); res.status(500).json({ error: 'Failed to fetch image' });