Skip to content

Comments

fix(next/image): fix image-optimizer.ts headers (#82114)#2

Open
MitchLewis930 wants to merge 1 commit intopr_032_beforefrom
pr_032_after
Open

fix(next/image): fix image-optimizer.ts headers (#82114)#2
MitchLewis930 wants to merge 1 commit intopr_032_beforefrom
pr_032_after

Conversation

@MitchLewis930
Copy link

PR_032

The headers were forwarded to the serverless function for "internal"
images but not "external" images.

This changes the behavior to be the same for both such that neither
receive headers.
@greptile-apps
Copy link

greptile-apps bot commented Jan 29, 2026

Greptile Overview

Greptile Summary

This PR fixes a security issue where HTTP headers (including cookies) were being forwarded to internal image optimization endpoints. The change removes the headers: _req.headers parameter from createRequestResponseMocks() in fetchInternalImage(), aligning its behavior with fetchExternalImage() which never forwarded headers.

Key changes:

  • Removed header forwarding in packages/next/src/server/image-optimizer.ts:637 to prevent cookie leakage
  • Added test endpoint conditional-cookie.js that only serves images when cookies are present
  • Added regression test verifying cookies are not forwarded (expects 400 status)

Security impact: This prevents authentication credentials from being inadvertently passed to internal image routes that shouldn't receive them, closing a potential information disclosure vulnerability.

Confidence Score: 5/5

  • This PR is safe to merge - it fixes a security vulnerability with proper test coverage
  • The change is minimal (removing one line), well-tested with a regression test, and addresses a legitimate security concern by preventing cookie forwarding to internal image endpoints. The fix aligns internal and external image handling behavior.
  • No files require special attention

Important Files Changed

Filename Overview
packages/next/src/server/image-optimizer.ts Removed headers forwarding from fetchInternalImage to prevent cookie leakage to internal image routes
test/integration/image-optimizer/app/pages/api/conditional-cookie.js Added test endpoint that conditionally returns image based on cookie presence
test/integration/image-optimizer/test/util.ts Added test case verifying cookies are not forwarded to internal image endpoints

Sequence Diagram

sequenceDiagram
    participant Client
    participant ImageOptimizer
    participant fetchInternalImage
    participant MockRequest
    participant InternalAPI

    Client->>ImageOptimizer: Request internal image with Cookie header
    ImageOptimizer->>fetchInternalImage: Process internal image (href, req, res)
    Note over fetchInternalImage: BEFORE: headers forwarded<br/>AFTER: headers NOT forwarded
    fetchInternalImage->>MockRequest: createRequestResponseMocks({url, method, socket})
    Note over MockRequest: Creates mock without headers parameter
    MockRequest->>InternalAPI: Internal request WITHOUT Cookie
    InternalAPI-->>MockRequest: Response (401 if no cookie expected)
    MockRequest-->>fetchInternalImage: Return image data
    fetchInternalImage-->>ImageOptimizer: ImageUpstream
    ImageOptimizer-->>Client: Optimized image or error
Loading

Copy link

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants