Skip to content

Respond with text/plain from /api/proxy and /api/blob #428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 29, 2024
Merged

Respond with text/plain from /api/proxy and /api/blob #428

merged 3 commits into from
Oct 29, 2024

Conversation

@ulrikandersen
Copy link
Contributor

@ulrikandersen ulrikandersen commented Oct 29, 2024
edited
Loading

Description

With this change the /api/proxy endpoint (which allows loading files from external URLs) will always respond Content-Type: text/plain. This is an extra layer of security (in addition to #417) to safeguard against serving HTML from the proxy endpoint which could be used for an XSS attack.

Furthermore the /api/blob endpoint (which is used for loading files from the repositories) will return text/plain unless the files in an image, in which case it will return image/*. GitHub already returns files in plain text even if they are .html, but we might as well be on the safe side.

Motivation and Context

NextResponse (underlying Response) will attempt to auto detect the content type based on the passed blob. With this change the auto detection is disabled and we always set the content type. It does not change functionality but it adds an extra safeguard to ensure we never return HTML/JavaScript from the proxy endpoint.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

@ulrikandersen
Always return text/plain from /api/proxy
779e8b0 
NextResponse (underlying Response) will attempt to auto detect the content type based on the passed blob. With this change the auto detection is disabled and we always return text/plain. It does not change functionality but it adds an extra safegaurd to ensure we never return HTML/JavaScript from the proxy endpoint.
@ulrikandersen
Fix test names
f0ae2d7
@ulrikandersen ulrikandersen changed the title Always return text/plain from /api/proxy Respond with text/plain from /api/proxy and /api/blob Oct 29, 2024
simonbs
simonbs approved these changes Oct 29, 2024
View reviewed changes
Copy link
Contributor

@simonbs simonbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@ulrikandersen ulrikandersen merged commit 5fef764 into develop Oct 29, 2024
7 checks passed
@ulrikandersen ulrikandersen deleted the proxy-fixed-content-type branch October 29, 2024 10:37
@ulrikandersen ulrikandersen mentioned this pull request Oct 29, 2024
Merged
@simonbs simonbs requested a review from Copilot November 19, 2024 19:40
Copilot AI reviewed Nov 19, 2024
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 3 out of 3 changed files in this pull request and generated no suggestions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@simonbs simonbs simonbs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ulrikandersen @simonbs