Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: use middleware to ensure project logos are images #4104

Merged
merged 3 commits into from
Oct 25, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions src/components/ProjectLogo.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,11 @@ export default function ProjectLogo({
// This rewrites those URLs to use the Infura gateway.
if (uri.startsWith('https://jbx.mypinata.cloud')) {
const cid = cidFromUrl(uri)
return ipfsGatewayUrl(cid)
// Use `/api/image/[url].ts` to validate filetype.
return `/api/image/${encodeURIComponent(ipfsGatewayUrl(cid))}`
}

return ipfsUriToGatewayUrl(uri)
return `/api/image/${encodeURIComponent(ipfsUriToGatewayUrl(uri))}`
}, [uri, projectId, pv])

const validImg = imageSrc && !srcLoadError
Expand Down
58 changes: 58 additions & 0 deletions src/pages/api/image/[url].ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
import axios from 'axios'
import { getLogger } from 'lib/logger'
import { NextApiRequest, NextApiResponse } from 'next'

// Make sure an image is an accepted media type. Pass image URLs with encodeURIComponent
export default async function handler(
req: NextApiRequest,
res: NextApiResponse,
) {
const logger = getLogger('api/image/[url]')

const imageUrl = req.query?.url as string
if (!imageUrl) {
res.status(400).send('Bad Request: url not provided')
return
}

try {
const imageRes = await axios.get(imageUrl, {
responseType: 'arraybuffer',
})

// Ensure that the header reflects a valid image MIME type
const contentType = imageRes.headers['content-type']
const acceptedTypes = ['image/png', 'image/jpeg', 'image/jpg', 'image/gif']
if (!acceptedTypes.includes(contentType)) {
return res.status(403).json({ error: 'Forbidden. Invalid content-type.' })
}

// Check the file signature (magic numbers) https://en.wikipedia.org/wiki/List_of_file_signatures
const data = new Uint8Array(imageRes.data)
if (
!(data[0] === 0xff && data[1] === 0xd8 && data[2] === 0xff) && // JPEG
!(
data[0] === 0x89 &&
data[1] === 0x50 &&
data[2] === 0x4e &&
data[3] === 0x47
) && // PNG
!(
data[0] === 0x47 &&
data[1] === 0x49 &&
data[2] === 0x46 &&
data[3] === 0x38
) // GIF
) {
return res
.status(403)
.json({ error: 'Forbidden. Invalid file signature.' })
}

res.setHeader('Content-Type', contentType)
return res.end(imageRes.data, 'binary')
} catch (error) {
logger.error({ error })
return res.status(500).json({ error: 'failed to resolve image' })
}
}
30 changes: 29 additions & 1 deletion src/pages/api/juicebox/pv/[pv]/project/[projectId]/logo.ts
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,35 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
responseType: 'arraybuffer',
})

const contentType = logoImageRes.headers['content-type'] ?? 'image/png'
// Ensure that the header reflects a valid image MIME type
const contentType = logoImageRes.headers['content-type']
const acceptedTypes = ['image/png', 'image/jpeg', 'image/jpg', 'image/gif']
if (!acceptedTypes.includes(contentType)) {
return res.status(403).json({ error: 'Forbidden. Invalid content-type.' })
}

// Check the file signature (magic numbers) https://en.wikipedia.org/wiki/List_of_file_signatures
const data = new Uint8Array(logoImageRes.data)
if (
!(data[0] === 0xff && data[1] === 0xd8 && data[2] === 0xff) && // JPEG
!(
data[0] === 0x89 &&
data[1] === 0x50 &&
data[2] === 0x4e &&
data[3] === 0x47
) && // PNG
!(
data[0] === 0x47 &&
data[1] === 0x49 &&
data[2] === 0x46 &&
data[3] === 0x38
) // GIF
) {
return res
.status(403)
.json({ error: 'Forbidden. Invalid file signature.' })
}

res.setHeader('Content-Type', contentType)
res.setHeader('Content-Length', logoImageRes.data.length)
// cache for 5 minutes
Expand Down