Skip to content

Commit

Permalink
chore: check image url hostname is a trusted image domain
Browse files Browse the repository at this point in the history
  • Loading branch information
1emu committed Dec 19, 2024
1 parent 32a9e34 commit e9d602f
Showing 1 changed file with 47 additions and 0 deletions.
47 changes: 47 additions & 0 deletions src/utils/validations.ts
Original file line number Diff line number Diff line change
Expand Up @@ -239,9 +239,56 @@ export function stringToBoolean(str: string) {
}
}

const TRUSTED_IMAGE_DOMAINS = new Set([
// Decentraland domains
'decentraland.org',
'cdn.decentraland.org',
'peer.decentraland.org',
'market.decentraland.org',
'governance.decentraland.org',
'events.decentraland.org',

// Popular image hosting and CDNs
'ipfs.io', // IPFS gateway
'githubusercontent.com', // GitHub's image hosting
'imgur.com', // Imgur
'i.imgur.com',
'cloudinary.com', // Cloudinary CDN
'res.cloudinary.com',
'images.unsplash.com', // Unsplash
'i.ibb.co', // ImgBB
'postimg.cc', // PostImage
'i.postimg.cc',
's3.amazonaws.com', // AWS S3
'storage.googleapis.com', // Google Cloud Storage
'drive.google.com', // Google Drive
'dropboxusercontent.com', // Dropbox
'www.dropbox.com',
'media.discordapp.net', // Discord
'cdn.discordapp.com',
'discord.com',
'discord.gg',
])

function isFromTrustedDomain(url: string): boolean {
try {
const urlObject = new URL(url)
const hostname = urlObject.hostname
console.log('hostname', hostname)
return TRUSTED_IMAGE_DOMAINS.has(hostname)
} catch {
return false
}
}

export async function isValidImage(imageUrl: string) {
const allowedImageTypes = new Set(['image/bmp', 'image/jpeg', 'image/png', 'image/webp'])

if (!isFromTrustedDomain(imageUrl)) {
logger.error('Image not from trusted domain', { imageUrl })
return false
}

return new Promise<boolean>((resolve) => {
fetch(imageUrl)
.then((response) => {
Expand Down

0 comments on commit e9d602f

Please sign in to comment.