Skip to content

Comments

fix(next/image): fix image-optimizer.ts headers (#82114)#2

Open
MitchLewis930 wants to merge 1 commit intopr_032_beforefrom
pr_032_after
Open

fix(next/image): fix image-optimizer.ts headers (#82114)#2
MitchLewis930 wants to merge 1 commit intopr_032_beforefrom
pr_032_after

Conversation

@MitchLewis930
Copy link

@MitchLewis930 MitchLewis930 commented Jan 30, 2026

User description

PR_032


PR Type

Bug fix


Description

  • Remove headers forwarding from internal image requests

  • Ensure consistent behavior between internal and external images

  • Add test to verify cookie headers are not forwarded


Diagram Walkthrough

flowchart LR
  A["Internal Image Request"] -->|Previously forwarded headers| B["Mocked Request"]
  A -->|Now excludes headers| C["Mocked Request"]
  D["Test Case"] -->|Verifies cookie not forwarded| E["400 Status"]
Loading

File Walkthrough

Relevant files
Bug fix
image-optimizer.ts
Remove headers forwarding from internal images                     

packages/next/src/server/image-optimizer.ts

  • Removed headers: _req.headers from createRequestResponseMocks call in
    fetchInternalImage function
  • This prevents forwarding of request headers to internal image requests
  • Aligns internal image handling with external image behavior
+0/-1     
Tests
util.ts
Add test for cookie header non-forwarding                               

test/integration/image-optimizer/test/util.ts

  • Added new test case should not forward cookie header
  • Test verifies that cookie headers sent with image requests are not
    forwarded
  • Expects 400 status response when cookie header is present
+7/-0     
conditional-cookie.js
Add conditional cookie test endpoint                                         

test/integration/image-optimizer/app/pages/api/conditional-cookie.js

  • New API endpoint that checks for cookie header presence
  • Returns 401 if cookie header is missing
  • Returns base64 encoded PNG image if cookie header is present
+11/-0   

The headers were forwarded to the serverless function for "internal"
images but not "external" images.

This changes the behavior to be the same for both such that neither
receive headers.
@qodo-code-review
Copy link

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢
No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
🎫 No ticket provided
  • Create ticket/issue
Codebase Duplication Compliance
Codebase context is not defined

Follow the guide to enable codebase context checks.

Custom Compliance
🟢
Generic: Comprehensive Audit Trails

Objective: To create a detailed and reliable record of critical system actions for security analysis
and compliance.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Meaningful Naming and Self-Documenting Code

Objective: Ensure all identifiers clearly express their purpose and intent, making code
self-documenting

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Robust Error Handling and Edge Case Management

Objective: Ensure comprehensive error handling that provides meaningful context and graceful
degradation

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Error Handling

Objective: To prevent the leakage of sensitive system information through error messages while
providing sufficient detail for internal debugging.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Logging Practices

Objective: To ensure logs are useful for debugging and auditing without exposing sensitive
information like PII, PHI, or cardholder data.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Security-First Input Validation and Data Handling

Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent
vulnerabilities

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend 🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

@qodo-code-review
Copy link

PR Code Suggestions ✨

Explore these optional code suggestions:

CategorySuggestion                                                                                                                                    Impact
General
Whitelist and forward Accept header

Forward only the accept header to internal image requests to ensure content
negotiation continues to function correctly after the change.

packages/next/src/server/image-optimizer.ts [634-638]

 const mocked = createRequestResponseMocks({
   url: href,
   method: _req.method || 'GET',
+  headers: {
+    accept: typeof _req.headers.accept === 'string'
+      ? _req.headers.accept
+      : Array.isArray(_req.headers.accept)
+        ? _req.headers.accept.join(', ')
+        : '',
+  },
   socket: _req.socket,
 })

[To ensure code accuracy, apply this suggestion manually]

Suggestion importance[1-10]: 9

__

Why: The PR removes all header forwarding, which would break content negotiation. This suggestion correctly identifies this regression and proposes to forward only the accept header, preserving the security fix while preventing the regression.

High
  • More

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants