Random images returned

[jackisace]

I have been using this service to pull information from a warhammer site using javascript, I have been using this information to create an app.

Although lately, it has been returning random images, but not for all the links I use. I suspect that I have done something wrong, such as too many requests to the same pages, or perhaps broken rules of this nature.

But instead of random images - I would have expected some kind of message, telling me what I have done wrong.

I have attached a couple of sample images below so you can see what I mean. But there are a lot of other images of other people, I feel like it is being pulled from a social media site instead.

[jolav]

Can you give me some requests to test by myself ?

[GemOfEvan]

Some insight for this. It was happening to me, but only specifically within a CEF browser (an OBS browser source to be specific). It was working correctly on my normal chrome instance, and only returning an image within the CEF.

I noticed that the status code was 200 (from disk cache), which makes me assume somehow that image got lodged into the cache somehow.

Specifically this request caused the image to appear:
fetch('https://api.codetabs.com/v1/proxy?quest=https://tmi.twitch.tv/group/user/gemofevan/chatters'),

while adding this header fixed it:
fetch('https://api.codetabs.com/v1/proxy?quest=https://tmi.twitch.tv/group/user/gemofevan/chatters', { cache: 'no-store' })

[Pilfer]

@jolav This looks to be an issue with you keeping the quest state on the proxy struct.

Make a few bogus calls to /v1/proxy/?quest=fake and you'll start getting leaked error responses from someone using your service to scrape Instagram photos and bypass their CORS policy.

Expected response:

{
    "Error": "http://fake is not a valid resource"
}

Actual (intermittent) response:

{
    "Error": "http://scontent-ord5-1.cdninstagram.com/v/t51.2885-15/280789304_1381299065722304_997617519172928938_n.webp?stp=dst-jpg_e35&_nc_ht=scontent-ord5-1.cdninstagram.com&_nc_cat=108&_nc_ohc=14xm4YFEWosAX-rbgGG&tn=Vmgbi72aB2kFFs-v&edm=AHlfZHwBAAAA&ccb=7-5&oh=00_AT_nZIhkbOy6gRFU7MqQWm_xPP6QZPJz5XUwgIjOpzveNA&oe=62E6C678&_nc_sid=21929d is not a valid resource"
}

The photo @jackisace is referencing is the default Instagram display picture, which shows that it may potentially be leaking elsewhere in the code.

To fix, don't manage the quest state on the struct - create and assign it in the HTTP handler and pass it to whatever other functions you need to down the line.

Also, I ended up hitting this service a little bit with a test client directly using the User-Agent Testing-Security-Will-Open-Issue-Soon. Don't be alarmed by that if you start looking through the logs! <3