fix: allow svg in image-proxy

alexdln · alexdln · commit f799a04e01ce · 2026-02-28T14:54:04.000Z
diff --git a/server/api/registry/image-proxy/index.get.ts b/server/api/registry/image-proxy/index.get.ts
@@ -58,49 +58,27 @@ export default defineEventHandler(async event => {
   // Verify HMAC signature to ensure this URL was generated server-side
   const { imageProxySecret } = useRuntimeConfig()
   if (!imageProxySecret || !verifyImageUrl(url, sig, imageProxySecret)) {
-    return {
-      place: 'sig',
-      url,
-      sig,
-      reqUrl: event.node.req.url,
-      reqOrigUrl: event.node.req.originalUrl,
-      imageProxySecret,
-    }
-    // throw createError({
-    //   statusCode: 403,
-    //   message: 'Invalid signature.',
-    // })
+    throw createError({
+      statusCode: 403,
+      message: 'Invalid signature.',
+    })
   }
 
   // Validate URL syntactically
   if (!isAllowedImageUrl(url)) {
-    return {
-      place: 'isAllowedImageUrl',
-      url,
-      sig,
-      reqUrl: event.node.req.url,
-      reqOrigUrl: event.node.req.originalUrl,
-    }
-    // throw createError({
-    //   statusCode: 400,
-    //   message: 'Invalid or disallowed image URL.',
-    // })
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid or disallowed image URL.',
+    })
   }
 
   // Resolve hostname via DNS and validate the resolved IP is not private.
   // This prevents DNS rebinding attacks where a hostname resolves to a private IP.
   if (!(await resolveAndValidateHost(url))) {
-    return {
-      place: 'resolveAndValidateHost',
-      url,
-      sig,
-      reqUrl: event.node.req.url,
-      reqOrigUrl: event.node.req.originalUrl,
-    }
-    // throw createError({
-    //   statusCode: 400,
-    //   message: 'Invalid or disallowed image URL.',
-    // })
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid or disallowed image URL.',
+    })
   }
 
   try {
@@ -134,31 +112,17 @@ export default defineEventHandler(async event => {
 
       // Validate the redirect target before following it
       if (!isAllowedImageUrl(redirectUrl)) {
-        return {
-          place: 'isAllowedImageUrl 2',
-          url,
-          sig,
-          reqUrl: event.node.req.url,
-          reqOrigUrl: event.node.req.originalUrl,
-        }
-        // throw createError({
-        //   statusCode: 400,
-        //   message: 'Redirect to disallowed URL.',
-        // })
+        throw createError({
+          statusCode: 400,
+          message: 'Redirect to disallowed URL.',
+        })
       }
 
       if (!(await resolveAndValidateHost(redirectUrl))) {
-        return {
-          place: 'resolveAndValidateHost 2',
-          url,
-          sig,
-          reqUrl: event.node.req.url,
-          reqOrigUrl: event.node.req.originalUrl,
-        }
-        // throw createError({
-        //   statusCode: 400,
-        //   message: 'Redirect to disallowed URL.',
-        // })
+        throw createError({
+          statusCode: 400,
+          message: 'Redirect to disallowed URL.',
+        })
       }
 
       // Consume the redirect response body to free resources
@@ -167,66 +131,38 @@ export default defineEventHandler(async event => {
     }
 
     if (!response) {
-      return {
-        place: 'response',
-        url,
-        sig,
-        reqUrl: event.node.req.url,
-        reqOrigUrl: event.node.req.originalUrl,
-      }
-      // throw createError({
-      //   statusCode: 502,
-      //   message: 'Failed to fetch image.',
-      // })
+      throw createError({
+        statusCode: 502,
+        message: 'Failed to fetch image.',
+      })
     }
 
     // Check if we exhausted the redirect limit
     if (REDIRECT_STATUSES.has(response.status)) {
       await response.body?.cancel()
-      return {
-        place: 'response 2',
-        url,
-        sig,
-        reqUrl: event.node.req.url,
-        reqOrigUrl: event.node.req.originalUrl,
-      }
-      // throw createError({
-      //   statusCode: 502,
-      // message: 'Too many redirects.',
-      // })
+      throw createError({
+        statusCode: 502,
+        message: 'Too many redirects.',
+      })
     }
 
     if (!response.ok) {
       await response.body?.cancel()
-      return {
-        place: 'response 3',
-        url,
-        sig,
-        reqUrl: event.node.req.url,
-        reqOrigUrl: event.node.req.originalUrl,
-      }
-      // throw createError({
-      //   statusCode: response.status === 404 ? 404 : 502,
-      // message: `Failed to fetch image: ${response.status}`,
-      // })
+      throw createError({
+        statusCode: response.status === 404 ? 404 : 502,
+        message: `Failed to fetch image: ${response.status}`,
+      })
     }
 
     const contentType = response.headers.get('content-type') || 'application/octet-stream'
 
     // Allow raster/vector image content types (we don't inject external content into DOM, so SVG is allowed too)
     if (!contentType.startsWith('image/')) {
       await response.body?.cancel()
-      return {
-        place: 'contentType',
-        url,
-        sig,
-        reqUrl: event.node.req.url,
-        reqOrigUrl: event.node.req.originalUrl,
-      }
-      // throw createError({
-      //   statusCode: 400,
-      // message: 'URL does not point to an allowed image type.',
-      // })
+      throw createError({
+        statusCode: 400,
+        message: 'URL does not point to an allowed image type.',
+      })
     }
 
     // Check Content-Length header if present (may be absent or dishonest)
@@ -288,28 +224,12 @@ export default defineEventHandler(async event => {
   } catch (error: unknown) {
     // Re-throw H3 errors
     if (error && typeof error === 'object' && 'statusCode' in error) {
-      return {
-        place: 'error',
-        url,
-        sig,
-        reqUrl: event.node.req.url,
-        reqOrigUrl: event.node.req.originalUrl,
-        error,
-      }
-      // throw error
+      throw error
     }
 
-    return {
-      place: 'error 2',
-      url,
-      sig,
-      reqUrl: event.node.req.url,
-      reqOrigUrl: event.node.req.originalUrl,
-      error,
-    }
-    // throw createError({
-    //   statusCode: 502,
-    //   message: 'Failed to proxy image.',
-    // })
+    throw createError({
+      statusCode: 502,
+      message: 'Failed to proxy image.',
+    })
   }
 })
