Merge pull request #12 from sillyangel/autofix/alert-1-e472fe2ba6

Fix code scanning alert #1: Server-side request forgery
sillyangel · Sep 20, 2024 · e15d93d · e15d93d
2 parents 62df70b + a1d5302
commit e15d93d
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/app.js b/app.js
@@ -25,8 +25,13 @@ app.use(express.static('public'));
 
 app.get('/image', async (req, res) => {
     const imageUrl = req.query.url;
+    const allowedDomains = ['playmusichtml.web.app', 'sillyangel.github.io']; // Add your trusted domains here
     if (imageUrl) {
       try {
+        const url = new URL(imageUrl);
+        if (!allowedDomains.includes(url.hostname)) {
+          return res.status(400).send('Invalid image URL domain.');
+        }
         const response = await axios.get(imageUrl, { responseType: 'arraybuffer' });
         const contentType = response.headers['content-type'];
         res.set('Content-Type', contentType);