fix: return stream, protect against ssrf

Author: danielroe

server/api/registry/image-proxy/index.get.ts

@@ -1,4 +1,5 @@
-import { createError, getQuery, setResponseHeaders } from 'h3'
+import { createError, getQuery, setResponseHeaders, sendStream } from 'h3'
+import { Readable } from 'node:stream'
 import { CACHE_MAX_AGE_ONE_DAY } from '#shared/utils/constants'
 import { isAllowedImageUrl } from '#shared/utils/image-proxy'
 
@@ -15,105 +16,119 @@ import { isAllowedImageUrl } from '#shared/utils/image-proxy'
  *
  * Resolves: https://github.com/npmx-dev/npmx.dev/issues/1138
  */
-export default defineCachedEventHandler(
-  async event => {
-    const query = getQuery(event)
-    const url = query.url as string | undefined
+export default defineEventHandler(async event => {
+  const query = getQuery(event)
+  const rawUrl = query.url
+  const url = (Array.isArray(rawUrl) ? rawUrl[0] : rawUrl) as string | undefined
 
-    if (!url) {
+  if (!url) {
+    throw createError({
+      statusCode: 400,
+      message: 'Missing required "url" query parameter.',
+    })
+  }
+
+  // Validate URL
+  if (!isAllowedImageUrl(url)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid or disallowed image URL.',
+    })
+  }
+
+  try {
+    const response = await fetch(url, {
+      headers: {
+        // Use a generic User-Agent to avoid leaking server info
+        'User-Agent': 'npmx-image-proxy/1.0',
+        'Accept': 'image/*',
+      },
+      redirect: 'follow',
+    })
+
+    // Validate final URL after any redirects to prevent SSRF bypass
+    if (response.url !== url && !isAllowedImageUrl(response.url)) {
       throw createError({
         statusCode: 400,
-        message: 'Missing required "url" query parameter.',
+        message: 'Redirect to disallowed URL.',
       })
     }
 
-    // Validate URL
-    if (!isAllowedImageUrl(url)) {
+    if (!response.ok) {
       throw createError({
-        statusCode: 400,
-        message: 'Invalid or disallowed image URL.',
+        statusCode: response.status === 404 ? 404 : 502,
+        message: `Failed to fetch image: ${response.status}`,
       })
     }
 
-    try {
-      const response = await fetch(url, {
-        headers: {
-          // Use a generic User-Agent to avoid leaking server info
-          'User-Agent': 'npmx-image-proxy/1.0',
-          'Accept': 'image/*',
-        },
-        // Prevent redirects to non-HTTP protocols
-        redirect: 'follow',
-      })
-
-      if (!response.ok) {
-        throw createError({
-          statusCode: response.status === 404 ? 404 : 502,
-          message: `Failed to fetch image: ${response.status}`,
-        })
-      }
-
-      const contentType = response.headers.get('content-type') || 'application/octet-stream'
+    const contentType = response.headers.get('content-type') || 'application/octet-stream'
 
-      // Only allow image content types
-      if (
-        !contentType.startsWith('image/') &&
-        !contentType.startsWith('application/octet-stream')
-      ) {
-        throw createError({
-          statusCode: 400,
-          message: 'URL does not point to an image.',
-        })
-      }
+    // Only allow image content types
+    if (!contentType.startsWith('image/')) {
+      throw createError({
+        statusCode: 400,
+        message: 'URL does not point to an image.',
+      })
+    }
 
-      // Enforce a maximum size of 10 MB to prevent abuse
-      const contentLength = response.headers.get('content-length')
-      const MAX_SIZE = 10 * 1024 * 1024 // 10 MB
-      if (contentLength && Number.parseInt(contentLength, 10) > MAX_SIZE) {
-        throw createError({
-          statusCode: 413,
-          message: 'Image too large.',
-        })
-      }
+    // Check Content-Length header if present (may be absent or dishonest)
+    const MAX_SIZE = 10 * 1024 * 1024 // 10 MB
+    const contentLength = response.headers.get('content-length')
+    if (contentLength && Number.parseInt(contentLength, 10) > MAX_SIZE) {
+      throw createError({
+        statusCode: 413,
+        message: 'Image too large.',
+      })
+    }
 
-      const imageBuffer = await response.arrayBuffer()
+    if (!response.body) {
+      throw createError({
+        statusCode: 502,
+        message: 'No response body from upstream.',
+      })
+    }
 
-      // Check actual size
-      if (imageBuffer.byteLength > MAX_SIZE) {
-        throw createError({
-          statusCode: 413,
-          message: 'Image too large.',
-        })
-      }
+    setResponseHeaders(event, {
+      'Content-Type': contentType,
+      'Cache-Control': `public, max-age=${CACHE_MAX_AGE_ONE_DAY}, s-maxage=${CACHE_MAX_AGE_ONE_DAY}`,
+      // Security headers - prevent content sniffing and restrict usage
+      'X-Content-Type-Options': 'nosniff',
+      'Content-Security-Policy': "default-src 'none'; style-src 'unsafe-inline'",
+    })
 
-      setResponseHeaders(event, {
-        'Content-Type': contentType,
-        'Content-Length': imageBuffer.byteLength.toString(),
-        'Cache-Control': `public, max-age=${CACHE_MAX_AGE_ONE_DAY}, s-maxage=${CACHE_MAX_AGE_ONE_DAY}`,
-        // Security headers - prevent content sniffing and restrict usage
-        'X-Content-Type-Options': 'nosniff',
-        'Content-Security-Policy': "default-src 'none'; style-src 'unsafe-inline'",
-      })
+    // Stream the response with a size limit to prevent memory exhaustion.
+    // This avoids buffering the entire image into memory before sending.
+    let bytesRead = 0
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const upstream = Readable.fromWeb(response.body as any)
+    const limited = new Readable({
+      read() {
+        /* pulling is driven by upstream push */
+      },
+    })
 
-      return Buffer.from(imageBuffer)
-    } catch (error: unknown) {
-      // Re-throw H3 errors
-      if (error && typeof error === 'object' && 'statusCode' in error) {
-        throw error
+    upstream.on('data', (chunk: Buffer) => {
+      bytesRead += chunk.length
+      if (bytesRead > MAX_SIZE) {
+        upstream.destroy()
+        limited.destroy(new Error('Image too large'))
+      } else {
+        limited.push(chunk)
       }
+    })
+    upstream.on('end', () => limited.push(null))
+    upstream.on('error', (err: Error) => limited.destroy(err))
 
-      throw createError({
-        statusCode: 502,
-        message: 'Failed to proxy image.',
-      })
+    return sendStream(event, limited)
+  } catch (error: unknown) {
+    // Re-throw H3 errors
+    if (error && typeof error === 'object' && 'statusCode' in error) {
+      throw error
     }
-  },
-  {
-    maxAge: CACHE_MAX_AGE_ONE_DAY,
-    swr: true,
-    getKey: event => {
-      const query = getQuery(event)
-      return `image-proxy:${query.url}`
-    },
-  },
-)
+
+    throw createError({
+      statusCode: 502,
+      message: 'Failed to proxy image.',
+    })
+  }
+})

shared/utils/image-proxy.ts

@@ -45,46 +45,66 @@ const TRUSTED_IMAGE_DOMAINS = [
  * Check if a URL points to a trusted domain that doesn't need proxying.
  */
 export function isTrustedImageDomain(url: string): boolean {
-  try {
-    const parsed = new URL(url)
-    const hostname = parsed.hostname.toLowerCase()
-    return TRUSTED_IMAGE_DOMAINS.some(
-      domain => hostname === domain || hostname.endsWith(`.${domain}`),
-    )
-  } catch {
-    return false
-  }
+  const parsed = URL.parse(url)
+  if (!parsed) return false
+
+  const hostname = parsed.hostname.toLowerCase()
+  return TRUSTED_IMAGE_DOMAINS.some(
+    domain => hostname === domain || hostname.endsWith(`.${domain}`),
+  )
 }
 
 /**
  * Validate that a URL is a valid HTTP(S) image URL suitable for proxying.
  */
 export function isAllowedImageUrl(url: string): boolean {
-  try {
-    const parsed = new URL(url)
-    // Only allow HTTP and HTTPS protocols
-    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
-      return false
-    }
-    // Block localhost / private IPs to prevent SSRF
-    const hostname = parsed.hostname.toLowerCase()
-    if (
-      hostname === 'localhost' ||
-      hostname === '127.0.0.1' ||
-      hostname === '::1' ||
-      hostname === '0.0.0.0' ||
-      hostname.startsWith('10.') ||
-      hostname.startsWith('192.168.') ||
-      hostname.startsWith('172.') ||
-      hostname.endsWith('.local') ||
-      hostname.endsWith('.internal')
-    ) {
-      return false
-    }
-    return true
-  } catch {
+  const parsed = URL.parse(url)
+  if (!parsed) return false
+
+  // Only allow HTTP and HTTPS protocols
+  if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
     return false
   }
+
+  // Block localhost / private IPs to prevent SSRF
+  const hostname = parsed.hostname.toLowerCase()
+  if (
+    hostname === 'localhost' ||
+    hostname === '127.0.0.1' ||
+    hostname === '0.0.0.0' ||
+    hostname.startsWith('10.') ||
+    hostname.startsWith('192.168.') ||
+    // RFC 1918: 172.16.0.0 – 172.31.255.255
+    /^172\.(1[6-9]|2\d|3[01])\./.test(hostname) ||
+    // Link-local (cloud metadata: 169.254.169.254)
+    hostname.startsWith('169.254.') ||
+    hostname.endsWith('.local') ||
+    hostname.endsWith('.internal') ||
+    // IPv6 loopback
+    hostname === '::1' ||
+    hostname === '[::1]' ||
+    // IPv6 link-local
+    hostname.startsWith('fe80:') ||
+    hostname.startsWith('[fe80:') ||
+    // IPv6 unique local (fc00::/7)
+    hostname.startsWith('fc') ||
+    hostname.startsWith('fd') ||
+    hostname.startsWith('[fc') ||
+    hostname.startsWith('[fd') ||
+    // IPv4-mapped IPv6 addresses
+    hostname.startsWith('::ffff:127.') ||
+    hostname.startsWith('::ffff:10.') ||
+    hostname.startsWith('::ffff:192.168.') ||
+    hostname.startsWith('::ffff:169.254.') ||
+    hostname.startsWith('[::ffff:127.') ||
+    hostname.startsWith('[::ffff:10.') ||
+    hostname.startsWith('[::ffff:192.168.') ||
+    hostname.startsWith('[::ffff:169.254.')
+  ) {
+    return false
+  }
+
+  return true
 }
 
 /**
@@ -98,13 +118,8 @@ export function toProxiedImageUrl(url: string): string {
     return url
   }
 
-  try {
-    const parsed = new URL(url)
-    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
-      return url
-    }
-  } catch {
-    // Not an absolute URL, return as-is (relative URLs are fine)
+  const parsed = URL.parse(url)
+  if (!parsed || (parsed.protocol !== 'http:' && parsed.protocol !== 'https:')) {
     return url
   }
 

test/unit/shared/utils/image-proxy.spec.ts

@@ -89,6 +89,30 @@ describe('Image Proxy Utils', () => {
       expect(isAllowedImageUrl('http://service.internal/image.png')).toBe(false)
     })
 
+    it('blocks cloud metadata IP (169.254.x.x)', () => {
+      expect(isAllowedImageUrl('http://169.254.169.254/latest/meta-data/')).toBe(false)
+    })
+
+    it('blocks private 172.16-31.x.x range', () => {
+      expect(isAllowedImageUrl('http://172.16.0.1/image.png')).toBe(false)
+      expect(isAllowedImageUrl('http://172.31.255.255/image.png')).toBe(false)
+    })
+
+    it('allows public 172.x IPs outside RFC 1918', () => {
+      expect(isAllowedImageUrl('http://172.64.0.1/image.png')).toBe(true)
+      expect(isAllowedImageUrl('http://172.15.0.1/image.png')).toBe(true)
+      expect(isAllowedImageUrl('http://172.32.0.1/image.png')).toBe(true)
+    })
+
+    it('blocks IPv6 link-local (fe80::)', () => {
+      expect(isAllowedImageUrl('http://[fe80::1]/image.png')).toBe(false)
+    })
+
+    it('blocks IPv6 unique local (fc00::/fd)', () => {
+      expect(isAllowedImageUrl('http://[fc00::1]/image.png')).toBe(false)
+      expect(isAllowedImageUrl('http://[fd12::1]/image.png')).toBe(false)
+    })
+
     it('returns false for invalid URLs', () => {
       expect(isAllowedImageUrl('not-a-url')).toBe(false)
     })