Skip to content

fix: allow http protocol in Next.js image remote patterns#823

Merged
thostetler merged 1 commit intoadsabs:masterfrom
thostetler:fix/next-image-http-protocol
Mar 10, 2026
Merged

fix: allow http protocol in Next.js image remote patterns#823
thostetler merged 1 commit intoadsabs:masterfrom
thostetler:fix/next-image-http-protocol

Conversation

@thostetler
Copy link
Member

@thostetler thostetler commented Mar 10, 2026

External journal article thumbnails served over plain HTTP (e.g.
ars.els-cdn.com) were rejected by the _next/image optimizer with
"url parameter is not allowed" because remotePatterns only included
https.

  • Added http protocol entry to images.remotePatterns in next.config.mjs

@thostetler
fix: allow http protocol in Next.js image remote patterns
9cde3aa 
External journal article thumbnails served over plain HTTP (e.g.
ars.els-cdn.com) were rejected by the _next/image optimizer because
remotePatterns only included https. Added an http pattern entry.
Copilot AI review requested due to automatic review settings March 10, 2026 18:10
@thostetler thostetler merged commit 969405a into adsabs:master Mar 10, 2026
5 checks passed
@thostetler thostetler deleted the fix/next-image-http-protocol branch March 10, 2026 18:10
Copilot AI reviewed Mar 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Risk summary: High security risk due to broadening Next.js image optimization to fetch from arbitrary HTTP origins.

This PR updates the Next.js image configuration to allow optimizing remote images served over plain HTTP (to address external journal thumbnails rejected by _next/image).

Changes:

  • Added an http entry to images.remotePatterns in next.config.mjs alongside the existing https pattern.

You can also share your feedback on Copilot code review. Take the survey.

next.config.mjs
},
{
protocol: 'http',
hostname: '**',
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

images.remotePatterns is currently wildcarding hostname: '**'; adding an http wildcard means the image optimizer can now fetch from any HTTP origin. This significantly increases SSRF risk (e.g., access to internal HTTP-only endpoints like 169.254.169.254 / localhost services) and also allows insecure (MITM-able) upstream image fetching. Prefer restricting http to the minimal set of known hosts that actually require it (e.g., ars.els-cdn.com, optionally with a pathname constraint), or proxy/normalize these thumbnails to HTTPS instead of allowing arbitrary HTTP.

Suggested change
hostname: '**',
hostname: 'adsabs.github.io',
pathname: '/scixhelp/**',

Copilot uses AI. Check for mistakes.
@codecov
Copy link

codecov bot commented Mar 10, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.9%. Comparing base (4453f01) to head (9cde3aa).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff            @@
##           master    #823     +/-   ##
========================================
- Coverage    61.9%   61.9%   -0.0%     
========================================
  Files         317     317             
  Lines       36549   36549             
  Branches     1642    1642             
========================================
- Hits        22619   22616      -3     
- Misses      13893   13896      +3     
  Partials       37      37

see 3 files with indirect coverage changes

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@thostetler thostetler mentioned this pull request Mar 10, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thostetler