fix: allow query for api image-proxy

alexdln · alexdln · commit e6a53cacedf6 · 2026-02-28T14:16:13.000Z
diff --git a/nuxt.config.ts b/nuxt.config.ts
@@ -107,6 +107,13 @@ export default defineNuxtConfig({
         allowQuery: ['color', 'labelColor', 'label', 'name', 'style'],
       },
     },
+    '/api/registry/image-proxy/**': {
+      isr: {
+        expiration: 60 * 60 /* one hour */,
+        passQuery: true,
+        allowQuery: ['url', 'sig'],
+      },
+    },
     '/api/registry/downloads/**': {
       isr: {
         expiration: 60 * 60 /* one hour */,
diff --git a/server/api/registry/image-proxy/index.get.ts b/server/api/registry/image-proxy/index.get.ts
@@ -42,192 +42,195 @@ export default defineEventHandler(async event => {
   const sig = (Array.isArray(query.sig) ? query.sig[0] : query.sig) as string | undefined
 
   if (!url) {
-    return {eventPath: event.path, eventParams: event.context.params, reqUrl: event.node.req.url, reqOrigUrl: event.node.req.originalUrl}
+    throw createError({
+      statusCode: 400,
+      message: 'Missing required "url" query parameter.',
+    })
   }
 
   if (!sig) {
-    return { sig: sig || "none", origSig: query.sig, query}
+    throw createError({
+      statusCode: 400,
+      message: 'Missing required "sig" query parameter.',
+    })
   }
-  return {"ok": true, url, sig, origSig: query.sig, query};
 
   // Verify HMAC signature to ensure this URL was generated server-side
-  // const { imageProxySecret } = useRuntimeConfig()
-  // if (!imageProxySecret || !verifyImageUrl(url, sig, imageProxySecret)) {
-  //   // throw createError({
-  //   //   statusCode: 403,
-  //   //   message: 'Invalid signature.',
-  //   // })
-  //   return {url, sig, imageProxySecret}
-  // }
-  // return {"ok": true};
-
-  // // Validate URL syntactically
-  // if (!isAllowedImageUrl(url)) {
-  //   throw createError({
-  //     statusCode: 400,
-  //     message: 'Invalid or disallowed image URL.',
-  //   })
-  // }
-
-  // // Resolve hostname via DNS and validate the resolved IP is not private.
-  // // This prevents DNS rebinding attacks where a hostname resolves to a private IP.
-  // if (!(await resolveAndValidateHost(url))) {
-  //   throw createError({
-  //     statusCode: 400,
-  //     message: 'Invalid or disallowed image URL.',
-  //   })
-  // }
-
-  // try {
-  //   // Manually follow redirects so we can validate each hop before connecting.
-  //   // Using `redirect: 'follow'` would let fetch connect to internal IPs via redirects
-  //   // before we could validate them (TOCTOU issue).
-  //   let currentUrl = url
-  //   let response: Response | undefined
-
-  //   for (let i = 0; i <= MAX_REDIRECTS; i++) {
-  //     response = await fetch(currentUrl, {
-  //       headers: {
-  //         'User-Agent': 'npmx-image-proxy/1.0',
-  //         'Accept': 'image/*',
-  //       },
-  //       redirect: 'manual',
-  //       signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
-  //     })
-
-  //     if (!REDIRECT_STATUSES.has(response.status)) {
-  //       break
-  //     }
-
-  //     const location = response.headers.get('location')
-  //     if (!location) {
-  //       break
-  //     }
-
-  //     // Resolve relative redirect URLs against the current URL
-  //     const redirectUrl = new URL(location, currentUrl).href
-
-  //     // Validate the redirect target before following it
-  //     if (!isAllowedImageUrl(redirectUrl)) {
-  //       throw createError({
-  //         statusCode: 400,
-  //         message: 'Redirect to disallowed URL.',
-  //       })
-  //     }
-
-  //     if (!(await resolveAndValidateHost(redirectUrl))) {
-  //       throw createError({
-  //         statusCode: 400,
-  //         message: 'Redirect to disallowed URL.',
-  //       })
-  //     }
-
-  //     // Consume the redirect response body to free resources
-  //     await response.body?.cancel()
-  //     currentUrl = redirectUrl
-  //   }
-
-  //   if (!response) {
-  //     throw createError({
-  //       statusCode: 502,
-  //       message: 'Failed to fetch image.',
-  //     })
-  //   }
-
-  //   // Check if we exhausted the redirect limit
-  //   if (REDIRECT_STATUSES.has(response.status)) {
-  //     await response.body?.cancel()
-  //     throw createError({
-  //       statusCode: 502,
-  //       message: 'Too many redirects.',
-  //     })
-  //   }
-
-  //   if (!response.ok) {
-  //     await response.body?.cancel()
-  //     throw createError({
-  //       statusCode: response.status === 404 ? 404 : 502,
-  //       message: `Failed to fetch image: ${response.status}`,
-  //     })
-  //   }
-
-  //   const contentType = response.headers.get('content-type') || 'application/octet-stream'
-
-  //   // Only allow raster/vector image content types, but block SVG to prevent
-  //   // embedded JavaScript execution (SVGs can contain <script> tags, event handlers, etc.)
-  //   if (!contentType.startsWith('image/') || contentType.includes('svg')) {
-  //     await response.body?.cancel()
-  //     throw createError({
-  //       statusCode: 400,
-  //       message: 'URL does not point to an allowed image type.',
-  //     })
-  //   }
-
-  //   // Check Content-Length header if present (may be absent or dishonest)
-  //   const contentLength = response.headers.get('content-length')
-  //   if (contentLength && Number.parseInt(contentLength, 10) > MAX_SIZE) {
-  //     await response.body?.cancel()
-  //     throw createError({
-  //       statusCode: 413,
-  //       message: 'Image too large.',
-  //     })
-  //   }
-
-  //   if (!response.body) {
-  //     throw createError({
-  //       statusCode: 502,
-  //       message: 'No response body from upstream.',
-  //     })
-  //   }
-
-  //   // Do not forward upstream Content-Length since we may truncate the stream
-  //   // at MAX_SIZE, which would cause a mismatch with the declared length.
-  //   setResponseHeaders(event, {
-  //     'Content-Type': contentType,
-  //     'Cache-Control': `public, max-age=${CACHE_MAX_AGE_ONE_DAY}, s-maxage=${CACHE_MAX_AGE_ONE_DAY}`,
-  //     // Security headers - prevent content sniffing and restrict usage
-  //     'X-Content-Type-Options': 'nosniff',
-  //     'Content-Security-Policy': "default-src 'none'; style-src 'unsafe-inline'",
-  //   })
-
-  //   // Stream the response with a size limit to prevent memory exhaustion.
-  //   // Uses pipe-based backpressure so the upstream pauses when the consumer is slow.
-  //   let bytesRead = 0
-  //   // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  //   const upstream = Readable.fromWeb(response.body as any)
-  //   const limited = new Readable({
-  //     read() {
-  //       // Resume the upstream when the consumer is ready for more data
-  //       upstream.resume()
-  //     },
-  //   })
-
-  //   upstream.on('data', (chunk: Buffer) => {
-  //     bytesRead += chunk.length
-  //     if (bytesRead > MAX_SIZE) {
-  //       upstream.destroy()
-  //       limited.destroy(new Error('Image too large'))
-  //     } else {
-  //       // Respect backpressure: if push() returns false, pause the upstream
-  //       // until the consumer calls read() again
-  //       if (!limited.push(chunk)) {
-  //         upstream.pause()
-  //       }
-  //     }
-  //   })
-  //   upstream.on('end', () => limited.push(null))
-  //   upstream.on('error', (err: Error) => limited.destroy(err))
-
-  //   return sendStream(event, limited)
-  // } catch (error: unknown) {
-  //   // Re-throw H3 errors
-  //   if (error && typeof error === 'object' && 'statusCode' in error) {
-  //     throw error
-  //   }
-
-  //   throw createError({
-  //     statusCode: 502,
-  //     message: 'Failed to proxy image.',
-  //   })
-  // }
+  const { imageProxySecret } = useRuntimeConfig()
+  if (!imageProxySecret || !verifyImageUrl(url, sig, imageProxySecret)) {
+    throw createError({
+      statusCode: 403,
+      message: 'Invalid signature.',
+    })
+  }
+
+  // Validate URL syntactically
+  if (!isAllowedImageUrl(url)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid or disallowed image URL.',
+    })
+  }
+
+  // Resolve hostname via DNS and validate the resolved IP is not private.
+  // This prevents DNS rebinding attacks where a hostname resolves to a private IP.
+  if (!(await resolveAndValidateHost(url))) {
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid or disallowed image URL.',
+    })
+  }
+
+  try {
+    // Manually follow redirects so we can validate each hop before connecting.
+    // Using `redirect: 'follow'` would let fetch connect to internal IPs via redirects
+    // before we could validate them (TOCTOU issue).
+    let currentUrl = url
+    let response: Response | undefined
+
+    for (let i = 0; i <= MAX_REDIRECTS; i++) {
+      response = await fetch(currentUrl, {
+        headers: {
+          'User-Agent': 'npmx-image-proxy/1.0',
+          'Accept': 'image/*',
+        },
+        redirect: 'manual',
+        signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
+      })
+
+      if (!REDIRECT_STATUSES.has(response.status)) {
+        break
+      }
+
+      const location = response.headers.get('location')
+      if (!location) {
+        break
+      }
+
+      // Resolve relative redirect URLs against the current URL
+      const redirectUrl = new URL(location, currentUrl).href
+
+      // Validate the redirect target before following it
+      if (!isAllowedImageUrl(redirectUrl)) {
+        throw createError({
+          statusCode: 400,
+          message: 'Redirect to disallowed URL.',
+        })
+      }
+
+      if (!(await resolveAndValidateHost(redirectUrl))) {
+        throw createError({
+          statusCode: 400,
+          message: 'Redirect to disallowed URL.',
+        })
+      }
+
+      // Consume the redirect response body to free resources
+      await response.body?.cancel()
+      currentUrl = redirectUrl
+    }
+
+    if (!response) {
+      throw createError({
+        statusCode: 502,
+        message: 'Failed to fetch image.',
+      })
+    }
+
+    // Check if we exhausted the redirect limit
+    if (REDIRECT_STATUSES.has(response.status)) {
+      await response.body?.cancel()
+      throw createError({
+        statusCode: 502,
+        message: 'Too many redirects.',
+      })
+    }
+
+    if (!response.ok) {
+      await response.body?.cancel()
+      throw createError({
+        statusCode: response.status === 404 ? 404 : 502,
+        message: `Failed to fetch image: ${response.status}`,
+      })
+    }
+
+    const contentType = response.headers.get('content-type') || 'application/octet-stream'
+
+    // Only allow raster/vector image content types, but block SVG to prevent
+    // embedded JavaScript execution (SVGs can contain <script> tags, event handlers, etc.)
+    if (!contentType.startsWith('image/') || contentType.includes('svg')) {
+      await response.body?.cancel()
+      throw createError({
+        statusCode: 400,
+        message: 'URL does not point to an allowed image type.',
+      })
+    }
+
+    // Check Content-Length header if present (may be absent or dishonest)
+    const contentLength = response.headers.get('content-length')
+    if (contentLength && Number.parseInt(contentLength, 10) > MAX_SIZE) {
+      await response.body?.cancel()
+      throw createError({
+        statusCode: 413,
+        message: 'Image too large.',
+      })
+    }
+
+    if (!response.body) {
+      throw createError({
+        statusCode: 502,
+        message: 'No response body from upstream.',
+      })
+    }
+
+    // Do not forward upstream Content-Length since we may truncate the stream
+    // at MAX_SIZE, which would cause a mismatch with the declared length.
+    setResponseHeaders(event, {
+      'Content-Type': contentType,
+      'Cache-Control': `public, max-age=${CACHE_MAX_AGE_ONE_DAY}, s-maxage=${CACHE_MAX_AGE_ONE_DAY}`,
+      // Security headers - prevent content sniffing and restrict usage
+      'X-Content-Type-Options': 'nosniff',
+      'Content-Security-Policy': "default-src 'none'; style-src 'unsafe-inline'",
+    })
+
+    // Stream the response with a size limit to prevent memory exhaustion.
+    // Uses pipe-based backpressure so the upstream pauses when the consumer is slow.
+    let bytesRead = 0
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const upstream = Readable.fromWeb(response.body as any)
+    const limited = new Readable({
+      read() {
+        // Resume the upstream when the consumer is ready for more data
+        upstream.resume()
+      },
+    })
+
+    upstream.on('data', (chunk: Buffer) => {
+      bytesRead += chunk.length
+      if (bytesRead > MAX_SIZE) {
+        upstream.destroy()
+        limited.destroy(new Error('Image too large'))
+      } else {
+        // Respect backpressure: if push() returns false, pause the upstream
+        // until the consumer calls read() again
+        if (!limited.push(chunk)) {
+          upstream.pause()
+        }
+      }
+    })
+    upstream.on('end', () => limited.push(null))
+    upstream.on('error', (err: Error) => limited.destroy(err))
+
+    return sendStream(event, limited)
+  } catch (error: unknown) {
+    // Re-throw H3 errors
+    if (error && typeof error === 'object' && 'statusCode' in error) {
+      throw error
+    }
+
+    throw createError({
+      statusCode: 502,
+      message: 'Failed to proxy image.',
+    })
+  }
 })
