fix: update rules for image-proxy (#1748)

alexdln · autofix-ci[bot] · web-flow · commit e616dd7c3273 · 2026-03-01T17:43:30.000Z
Co-authored-by: autofix-ci[bot] &lt;114827586+autofix-ci[bot]@users.noreply.github.com&gt;
diff --git a/nuxt.config.ts b/nuxt.config.ts
@@ -107,6 +107,13 @@ export default defineNuxtConfig({
         allowQuery: ['color', 'labelColor', 'label', 'name', 'style'],
       },
     },
+    '/api/registry/image-proxy': {
+      isr: {
+        expiration: 60 * 60 /* one hour */,
+        passQuery: true,
+        allowQuery: ['url', 'sig'],
+      },
+    },
     '/api/registry/downloads/**': {
       isr: {
         expiration: 60 * 60 /* one hour */,
diff --git a/server/api/registry/image-proxy/index.get.ts b/server/api/registry/image-proxy/index.get.ts
@@ -156,9 +156,8 @@ export default defineEventHandler(async event => {
 
     const contentType = response.headers.get('content-type') || 'application/octet-stream'
 
-    // Only allow raster/vector image content types, but block SVG to prevent
-    // embedded JavaScript execution (SVGs can contain <script> tags, event handlers, etc.)
-    if (!contentType.startsWith('image/') || contentType.includes('svg')) {
+    // Allow raster/vector image content types (we don't inject external content into DOM, so SVG is allowed too)
+    if (!contentType.startsWith('image/')) {
       await response.body?.cancel()
       throw createError({
         statusCode: 400,
diff --git a/server/utils/image-proxy.ts b/server/utils/image-proxy.ts
@@ -41,12 +41,15 @@ const TRUSTED_IMAGE_DOMAINS = [
   'repository-images.githubusercontent.com',
   'github.githubassets.com',
   'objects.githubusercontent.com',
+  'avatars2.githubusercontent.com',
+  'cloud.githubusercontent.com',
 
   // GitLab
   'gitlab.com',
 
   // CDNs commonly used in READMEs
   'cdn.jsdelivr.net',
+  'data.jsdelivr.com',
   'unpkg.com',
 
   // Well-known badge/shield services
@@ -63,6 +66,16 @@ const TRUSTED_IMAGE_DOMAINS = [
   'api.codeclimate.com',
   'bundlephobia.com',
   'packagephobia.com',
+  'deepwiki.com',
+  'saucelabs.github.io',
+  'opencollective.com',
+  'circleci.com',
+  'www.codetriage.com',
+  'badges.gitter.im',
+  'nodei.co',
+  'travis-ci.org',
+  'secure.travis-ci.org',
+  'img.badgesize.io',
 ]
 
 /**
