From 779e8b0066d8fc02f1d0fcb71b2628265e0e2385 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Tue, 29 Oct 2024 08:33:06 +0100
Subject: [PATCH 1/3] Always return text/plain from /api/proxy

NextResponse (underlying Response) will attempt to auto detect the content type based on the passed blob. With this change the auto detection is disabled and we always return text/plain. It does not change functionality but it adds an extra safegaurd to ensure we never return HTML/JavaScript from the proxy endpoint.
---
 src/app/api/proxy/route.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/app/api/proxy/route.ts b/src/app/api/proxy/route.ts
index 4a6c4b9a..5d5f10b4 100644
--- a/src/app/api/proxy/route.ts
+++ b/src/app/api/proxy/route.ts
@@ -30,7 +30,7 @@ export async function GET(req: NextRequest) {
     const maxBytes = maxMegabytes * 1024 * 1024
     const fileText = await downloadFile({ url, maxBytes, timeoutInSeconds })
     checkIfJsonOrYaml(fileText)
-    return new NextResponse(fileText, { status: 200 })
+    return new NextResponse(fileText, { status: 200, headers: { "Content-Type": "text/plain" } })
   } catch (error) {
     if (error instanceof Error == false) {
       return makeAPIErrorResponse(500, "An unknown error occurred.")

From f0ae2d777b2e1114e8563871bc1a9c5393a16ff8 Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Tue, 29 Oct 2024 08:44:27 +0100
Subject: [PATCH 2/3] Fix test names

---
 .../common/github/RepoRestrictedGitHubClient.test.ts  | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/__test__/common/github/RepoRestrictedGitHubClient.test.ts b/__test__/common/github/RepoRestrictedGitHubClient.test.ts
index 852e6754..134968c0 100644
--- a/__test__/common/github/RepoRestrictedGitHubClient.test.ts
+++ b/__test__/common/github/RepoRestrictedGitHubClient.test.ts
@@ -7,7 +7,6 @@ import {
     GetRepositoryContentRequest,
     GraphQLQueryRequest,
     UpdatePullRequestCommentRequest,
-    GitHubClient
 } from "@/common";
 import { jest } from '@jest/globals';
 
@@ -37,7 +36,7 @@ describe('RepoRestrictedGitHubClient', () => {
         expect(gitHubClient.graphql).toHaveBeenCalledWith(request);
     });
 
-    it('should check suffix for getRepositoryContent', async () => {
+    it('should delegate getRepositoryContent to the underlying client', async () => {
         const request: GetRepositoryContentRequest = {
             repositoryName: 'repo-suffix', path: '',
             repositoryOwner: '',
@@ -56,7 +55,7 @@ describe('RepoRestrictedGitHubClient', () => {
         await expect(client.getRepositoryContent(request)).rejects.toThrow("Invalid repository name");
     });
 
-    it('should check suffix for getPullRequestFiles', async () => {
+    it('should delegate getPullRequestFiles to the underlying client', async () => {
         const request: GetPullRequestFilesRequest = {
             repositoryName: 'repo-suffix', pullRequestNumber: 1,
             appInstallationId: 0,
@@ -75,7 +74,7 @@ describe('RepoRestrictedGitHubClient', () => {
         await expect(client.getPullRequestFiles(request)).rejects.toThrow("Invalid repository name");
     });
 
-    it('should check suffix for getPullRequestComments', async () => {
+    it('should delegate getPullRequestComments to the underlying client', async () => {
         const request: GetPullRequestCommentsRequest = {
             repositoryName: 'repo-suffix', pullRequestNumber: 1,
             appInstallationId: 0,
@@ -94,7 +93,7 @@ describe('RepoRestrictedGitHubClient', () => {
         await expect(client.getPullRequestComments(request)).rejects.toThrow("Invalid repository name");
     });
 
-    it('should check suffix for addCommentToPullRequest', async () => {
+    it('should delegate addCommentToPullRequest to the underlying client', async () => {
         const request: AddCommentToPullRequestRequest = {
             repositoryName: 'repo-suffix', pullRequestNumber: 1, body: '',
             appInstallationId: 0,
@@ -113,7 +112,7 @@ describe('RepoRestrictedGitHubClient', () => {
         await expect(client.addCommentToPullRequest(request)).rejects.toThrow("Invalid repository name");
     });
 
-    it('should check suffix for updatePullRequestComment', async () => {
+    it('should delegate updatePullRequestComment to the underlying client', async () => {
         const request: UpdatePullRequestCommentRequest = {
             repositoryName: 'repo-suffix', commentId: 1, body: '',
             appInstallationId: 0,

From 9d979c50af5b3c6766d14ed4c45584497716f88a Mon Sep 17 00:00:00 2001
From: Ulrik Andersen <ulrik@shape.dk>
Date: Tue, 29 Oct 2024 08:55:24 +0100
Subject: [PATCH 3/3] Return text/plain or image/* from /api/blob

---
 src/app/api/blob/[owner]/[repository]/[...path]/route.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/app/api/blob/[owner]/[repository]/[...path]/route.ts b/src/app/api/blob/[owner]/[repository]/[...path]/route.ts
index ad91bf3d..cf7e43a0 100644
--- a/src/app/api/blob/[owner]/[repository]/[...path]/route.ts
+++ b/src/app/api/blob/[owner]/[repository]/[...path]/route.ts
@@ -28,6 +28,8 @@ export async function GET(req: NextRequest, { params }: { params: GetBlobParams
     const cacheExpirationInSeconds = 60 * 60 * 24 * 30 // 30 days
     headers.set("Content-Type", "image/*");
     headers.set("Cache-Control", `max-age=${cacheExpirationInSeconds}`)
+  } else {
+    headers.set("Content-Type", "text/plain");
   }
   return new NextResponse(file, { status: 200, headers })
 }