fix: validate next/image params (#1661)

ascorbic · web-flow · commit c0937cf67e84 · 2022-10-05T16:26:38.000+01:00
* fix: validate next/image params

* fix: pass localPrefix to ipx

* chore(deps): update netlify/ipx

* chore: update lockfile

* chore: fix local image prefix

* chore: update error message
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/runtime/package.json b/packages/runtime/package.json
@@ -12,7 +12,7 @@
   "dependencies": {
     "@netlify/esbuild": "0.14.39",
     "@netlify/functions": "^1.3.0",
-    "@netlify/ipx": "^1.2.5",
+    "@netlify/ipx": "^1.3.0",
     "@vercel/node-bridge": "^2.1.0",
     "chalk": "^4.1.2",
     "destr": "^1.1.1",
diff --git a/packages/runtime/src/templates/edge/ipx.ts b/packages/runtime/src/templates/edge/ipx.ts
@@ -9,6 +9,9 @@ interface ImageConfig extends Record<string, unknown> {
   formats?: string[]
 }
 
+// Checks if a URL param is numeric
+const isNumeric = (value: string | null) => Number(value).toString() === value
+
 /**
  * Implement content negotiation for images
  */
@@ -28,10 +31,28 @@ const handler = async (req: Request, context: Context) => {
 
   const source = searchParams.get('url')
   const width = searchParams.get('w')
-  const quality = searchParams.get('q') ?? 75
+  const quality = searchParams.get('q') ?? '75'
+
+  const errors: Array<string> = []
+
+  if (!source) {
+    errors.push('Missing "url" parameter')
+  } else if (!source.startsWith('http') && !source.startsWith('/')) {
+    errors.push('The "url" parameter must be a valid URL or path')
+  }
+
+  if (!width) {
+    errors.push('Missing "w" parameter')
+  } else if (!isNumeric(width)) {
+    errors.push('Invalid "w" parameter')
+  }
+
+  if (!isNumeric(quality)) {
+    errors.push('Invalid "q" parameter')
+  }
 
-  if (!source || !width) {
-    return new Response('Invalid request', {
+  if (!source || errors.length > 0) {
+    return new Response(`Invalid request: \n${errors.join('\n')}`, {
       status: 400,
     })
   }
diff --git a/packages/runtime/src/templates/ipx.ts b/packages/runtime/src/templates/ipx.ts
@@ -10,5 +10,6 @@ export const handler: Handler = createIPXHandler({
   domains,
   remotePatterns,
   responseHeaders,
+  localPrefix: '/_next/static/media/',
 }) as Handler
 /* eslint-enable n/no-missing-import, import/no-unresolved, @typescript-eslint/ban-ts-comment  */
