fix(next/image): fix image-optimizer.ts headers (#82114)#2
fix(next/image): fix image-optimizer.ts headers (#82114)#2MitchLewis930 wants to merge 1 commit intopr_032_beforefrom
Conversation
The headers were forwarded to the serverless function for "internal" images but not "external" images. This changes the behavior to be the same for both such that neither receive headers.
There was a problem hiding this comment.
Pull request overview
This PR fixes a security issue in the Next.js image optimizer by preventing sensitive headers (like cookies) from being forwarded to internal image requests. The change removes the headers forwarding in image-optimizer.ts and adds test coverage to verify that cookie headers are no longer passed through.
Changes:
- Removed headers forwarding in the internal image request handler
- Added test case to verify cookie headers are blocked
- Added API endpoint to test cookie header blocking behavior
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| packages/next/src/server/image-optimizer.ts | Removed headers parameter from internal image request to prevent forwarding sensitive headers |
| test/integration/image-optimizer/test/util.ts | Added test case verifying cookie headers are not forwarded to image requests |
| test/integration/image-optimizer/app/pages/api/conditional-cookie.js | Added test API endpoint that checks for cookie headers to validate the fix |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| const query = { w: ctx.w, q: 30, url: '/api/conditional-cookie' } | ||
| const opts = { headers: { accept: 'image/webp', cookie: '1' } } | ||
| const res = await fetchViaHTTP(ctx.appPort, '/_next/image', query, opts) | ||
| expect(res.status).toBe(400) |
There was a problem hiding this comment.
The test expects a 400 status code, but based on the test API endpoint in conditional-cookie.js, when the cookie header is missing (which is the expected behavior after the fix), the endpoint returns a 401 status with the message 'cookie was not found'. The test should verify that the image optimizer rejects the request before it reaches the API endpoint, or should expect a 401 status to match the API's behavior when cookies are absent.
2 participants
PR_032