ipx 0.9.4 → 0.9.6

package/dist/chunks/middleware.cjs

@@ -5,7 +5,6 @@ const imageMeta = require('image-meta');
 const ufo = require('ufo');
 const fs = require('fs');
 const pathe = require('pathe');
-const isValidPath = require('is-valid-path');
 const http = require('http');
 const https = require('https');
 const ohmyfetch = require('ohmyfetch');
@@ -16,7 +15,6 @@ const xss = require('xss');
 function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e["default"] : e; }
 
 const defu__default = /*#__PURE__*/_interopDefaultLegacy(defu);
-const isValidPath__default = /*#__PURE__*/_interopDefaultLegacy(isValidPath);
 const http__default = /*#__PURE__*/_interopDefaultLegacy(http);
 const https__default = /*#__PURE__*/_interopDefaultLegacy(https);
 const destr__default = /*#__PURE__*/_interopDefaultLegacy(destr);
@@ -74,9 +72,9 @@ function cachedPromise(fn) {
 }
 class IPXError extends Error {
 }
-function createError(message, statusCode) {
-  const err = new IPXError(message);
-  err.statusMessage = "IPX: " + message;
+function createError(statusMessage, statusCode, trace) {
+  const err = new IPXError(statusMessage + (trace ? ` (${trace})` : ""));
+  err.statusMessage = "IPX: " + statusMessage;
   err.statusCode = statusCode;
   return err;
 }
@@ -85,29 +83,35 @@ const createFilesystemSource = (options) => {
   const rootDir = pathe.resolve(options.dir);
   return async (id) => {
     const fsPath = pathe.resolve(pathe.join(rootDir, id));
-    if (!isValidPath__default(id) || id.includes("..") || !fsPath.startsWith(rootDir)) {
-      throw createError("Forbidden path:" + id, 403);
+    if (!isValidPath(fsPath) || !fsPath.startsWith(rootDir)) {
+      throw createError("Forbidden path", 403, id);
     }
     let stats;
     try {
       stats = await fs.promises.stat(fsPath);
     } catch (err) {
       if (err.code === "ENOENT") {
-        throw createError("File not found: " + fsPath, 404);
+        throw createError("File not found", 404, fsPath);
       } else {
-        throw createError("File access error for " + fsPath + ":" + err.code, 403);
+        throw createError("File access error " + err.code, 403, fsPath);
       }
     }
     if (!stats.isFile()) {
-      throw createError("Path should be a file: " + fsPath, 400);
+      throw createError("Path should be a file", 400, fsPath);
     }
     return {
       mtime: stats.mtime,
-      maxAge: options.maxAge || 300,
+      maxAge: options.maxAge,
       getData: cachedPromise(() => fs.promises.readFile(fsPath))
     };
   };
 };
+function isValidPath(fp) {
+  if (/[<>:"|?*]/.test(fp)) {
+    return false;
+  }
+  return true;
+}
 
 const createHTTPSource = (options) => {
   const httpsAgent = new https__default.Agent({ keepAlive: true });
@@ -120,18 +124,19 @@ const createHTTPSource = (options) => {
   return async (id, reqOptions) => {
     const url = new URL(id);
     if (!url.hostname) {
-      throw createError("Hostname is missing: " + id, 403);
+      throw createError("Hostname is missing", 403, id);
     }
     if (!reqOptions?.bypassDomain && !hosts.find((host) => url.hostname === host)) {
-      throw createError("Forbidden host: " + url.hostname, 403);
+      throw createError("Forbidden host", 403, url.hostname);
     }
     const response = await ohmyfetch.fetch(id, {
-      agent: id.startsWith("https") ? httpsAgent : httpAgent
+      agent: id.startsWith("https") ? httpsAgent : httpAgent,
+      ...options.fetchOptions
     });
     if (!response.ok) {
-      throw createError(response.statusText || "fetch error", response.status || 500);
+      throw createError("Fetch error", response.status || 500, response.statusText);
     }
-    let maxAge = options.maxAge || 300;
+    let maxAge = options.maxAge;
     const _cacheControl = response.headers.get("cache-control");
     if (_cacheControl) {
       const m = _cacheControl.match(/max-age=(\d+)/);
@@ -147,7 +152,7 @@ const createHTTPSource = (options) => {
     return {
       mtime,
       maxAge,
-      getData: cachedPromise(() => response.buffer())
+      getData: cachedPromise(() => response.arrayBuffer().then((ab) => Buffer.from(ab)))
     };
   };
 };
@@ -384,12 +389,14 @@ const h = height;
 const s = resize;
 const pos = position;
 
-const SUPPORTED_FORMATS = ["jpeg", "png", "webp", "avif", "tiff"];
+const SUPPORTED_FORMATS = ["jpeg", "png", "webp", "avif", "tiff", "gif"];
 function createIPX(userOptions) {
   const defaults = {
     dir: getEnv("IPX_DIR", "."),
     domains: getEnv("IPX_DOMAINS", []),
     alias: getEnv("IPX_ALIAS", {}),
+    fetchOptions: getEnv("IPX_FETCH_OPTIONS", {}),
+    maxAge: getEnv("IPX_MAX_AGE", 300),
     sharp: {}
   };
   const options = defu__default(userOptions, defaults);
@@ -399,12 +406,15 @@ function createIPX(userOptions) {
   };
   if (options.dir) {
     ctx.sources.filesystem = createFilesystemSource({
-      dir: options.dir
+      dir: options.dir,
+      maxAge: options.maxAge
     });
   }
   if (options.domains) {
     ctx.sources.http = createHTTPSource({
-      domains: options.domains
+      domains: options.domains,
+      fetchOptions: options.fetchOptions,
+      maxAge: options.maxAge
     });
   }
   return function ipx(id, modifiers = {}, reqOptions = {}) {
@@ -420,7 +430,7 @@ function createIPX(userOptions) {
     const getSrc = cachedPromise(() => {
       const source = ufo.hasProtocol(id) ? "http" : "filesystem";
       if (!ctx.sources[source]) {
-        throw createError("Unknown source: " + source, 400);
+        throw createError("Unknown source", 400, source);
       }
       return ctx.sources[source](id, reqOptions);
     });
@@ -440,10 +450,7 @@ function createIPX(userOptions) {
           meta
         };
       }
-      const animated = modifiers.animated !== void 0 || modifiers.a !== void 0;
-      if (animated) {
-        format = "webp";
-      }
+      const animated = modifiers.animated !== void 0 || modifiers.a !== void 0 || format === "gif";
       const Sharp = await import('sharp').then((r) => r.default || r);
       let sharp = Sharp(data, { animated });
       Object.assign(sharp.options, options.sharp);
@@ -476,6 +483,8 @@ function createIPX(userOptions) {
   };
 }
 
+const MODIFIER_SEP = /[,&]/g;
+const MODIFIER_VAL_SEP = /[_=:]/g;
 async function _handleRequest(req, ipx) {
   const res = {
     statusCode: 200,
@@ -483,19 +492,19 @@ async function _handleRequest(req, ipx) {
     headers: {},
     body: ""
   };
-  const [modifiersStr = "", ...idSegments] = req.url.substr(1).split("/");
-  const id = ufo.decode(idSegments.join("/"));
+  const [modifiersStr = "", ...idSegments] = req.url.substring(1).split("/");
+  const id = safeString(ufo.decode(idSegments.join("/")));
   if (!modifiersStr) {
-    throw createError("Modifiers is missing in path: " + req.url, 400);
+    throw createError("Modifiers are missing", 400, req.url);
   }
   if (!id || id === "/") {
-    throw createError("Resource id is missing: " + req.url, 400);
+    throw createError("Resource id is missing", 400, req.url);
   }
   const modifiers = /* @__PURE__ */ Object.create(null);
   if (modifiersStr !== "_") {
-    for (const p of modifiersStr.split(",")) {
-      const [key, value = ""] = p.split("_");
-      modifiers[key] = ufo.decode(value);
+    for (const p of modifiersStr.split(MODIFIER_SEP)) {
+      const [key, value = ""] = p.split(MODIFIER_VAL_SEP);
+      modifiers[safeString(key)] = safeString(ufo.decode(value));
     }
   }
   const img = ipx(id, modifiers, req.options);
@@ -509,7 +518,7 @@ async function _handleRequest(req, ipx) {
     }
     res.headers["Last-Modified"] = +src.mtime + "";
   }
-  if (src.maxAge !== void 0) {
+  if (typeof src.maxAge === "number") {
     res.headers["Cache-Control"] = `max-age=${+src.maxAge}, public, s-maxage=${+src.maxAge}`;
   }
   const { data, format } = await img.data();
@@ -523,21 +532,21 @@ async function _handleRequest(req, ipx) {
     res.headers["Content-Type"] = `image/${format}`;
   }
   res.body = data;
-  return res;
+  return sanetizeReponse(res);
 }
 function handleRequest(req, ipx) {
   return _handleRequest(req, ipx).catch((err) => {
     const statusCode = parseInt(err.statusCode) || 500;
-    const statusMessage = err.statusMessage ? xss__default(err.statusMessage) : `IPX Error (${statusCode})`;
+    const statusMessage = err.statusMessage ? err.statusMessage : `IPX Error (${statusCode})`;
     if (process.env.NODE_ENV !== "production" && statusCode === 500) {
       console.error(err);
     }
-    return {
+    return sanetizeReponse({
       statusCode,
       statusMessage,
-      body: statusMessage,
+      body: "IPX Error: " + err,
       headers: {}
-    };
+    });
   });
 }
 function createIPXMiddleware(ipx) {
@@ -552,6 +561,24 @@ function createIPXMiddleware(ipx) {
     });
   };
 }
+function sanetizeReponse(res) {
+  return {
+    statusCode: res.statusCode || 200,
+    statusMessage: res.statusMessage ? safeString(res.statusMessage) : "OK",
+    headers: safeStringObject(res.headers || {}),
+    body: typeof res.body === "string" ? xss__default(safeString(res.body)) : res.body || ""
+  };
+}
+function safeString(input) {
+  return JSON.stringify(input).replace(/^"|"$/g, "");
+}
+function safeStringObject(input) {
+  const dst = {};
+  for (const key in input) {
+    dst[key] = safeString(input[key]);
+  }
+  return dst;
+}
 
 exports.createIPX = createIPX;
 exports.createIPXMiddleware = createIPXMiddleware;

package/dist/chunks/middleware.mjs

@@ -3,7 +3,6 @@ import { imageMeta } from 'image-meta';
 import { parseURL, withLeadingSlash, hasProtocol, joinURL, decode } from 'ufo';
 import { promises } from 'fs';
 import { resolve, join } from 'pathe';
-import isValidPath from 'is-valid-path';
 import http from 'http';
 import https from 'https';
 import { fetch } from 'ohmyfetch';
@@ -62,9 +61,9 @@ function cachedPromise(fn) {
 }
 class IPXError extends Error {
 }
-function createError(message, statusCode) {
-  const err = new IPXError(message);
-  err.statusMessage = "IPX: " + message;
+function createError(statusMessage, statusCode, trace) {
+  const err = new IPXError(statusMessage + (trace ? ` (${trace})` : ""));
+  err.statusMessage = "IPX: " + statusMessage;
   err.statusCode = statusCode;
   return err;
 }
@@ -73,29 +72,35 @@ const createFilesystemSource = (options) => {
   const rootDir = resolve(options.dir);
   return async (id) => {
     const fsPath = resolve(join(rootDir, id));
-    if (!isValidPath(id) || id.includes("..") || !fsPath.startsWith(rootDir)) {
-      throw createError("Forbidden path:" + id, 403);
+    if (!isValidPath(fsPath) || !fsPath.startsWith(rootDir)) {
+      throw createError("Forbidden path", 403, id);
     }
     let stats;
     try {
       stats = await promises.stat(fsPath);
     } catch (err) {
       if (err.code === "ENOENT") {
-        throw createError("File not found: " + fsPath, 404);
+        throw createError("File not found", 404, fsPath);
       } else {
-        throw createError("File access error for " + fsPath + ":" + err.code, 403);
+        throw createError("File access error " + err.code, 403, fsPath);
       }
     }
     if (!stats.isFile()) {
-      throw createError("Path should be a file: " + fsPath, 400);
+      throw createError("Path should be a file", 400, fsPath);
     }
     return {
       mtime: stats.mtime,
-      maxAge: options.maxAge || 300,
+      maxAge: options.maxAge,
       getData: cachedPromise(() => promises.readFile(fsPath))
     };
   };
 };
+function isValidPath(fp) {
+  if (/[<>:"|?*]/.test(fp)) {
+    return false;
+  }
+  return true;
+}
 
 const createHTTPSource = (options) => {
   const httpsAgent = new https.Agent({ keepAlive: true });
@@ -108,18 +113,19 @@ const createHTTPSource = (options) => {
   return async (id, reqOptions) => {
     const url = new URL(id);
     if (!url.hostname) {
-      throw createError("Hostname is missing: " + id, 403);
+      throw createError("Hostname is missing", 403, id);
     }
     if (!reqOptions?.bypassDomain && !hosts.find((host) => url.hostname === host)) {
-      throw createError("Forbidden host: " + url.hostname, 403);
+      throw createError("Forbidden host", 403, url.hostname);
     }
     const response = await fetch(id, {
-      agent: id.startsWith("https") ? httpsAgent : httpAgent
+      agent: id.startsWith("https") ? httpsAgent : httpAgent,
+      ...options.fetchOptions
     });
     if (!response.ok) {
-      throw createError(response.statusText || "fetch error", response.status || 500);
+      throw createError("Fetch error", response.status || 500, response.statusText);
     }
-    let maxAge = options.maxAge || 300;
+    let maxAge = options.maxAge;
     const _cacheControl = response.headers.get("cache-control");
     if (_cacheControl) {
       const m = _cacheControl.match(/max-age=(\d+)/);
@@ -135,7 +141,7 @@ const createHTTPSource = (options) => {
     return {
       mtime,
       maxAge,
-      getData: cachedPromise(() => response.buffer())
+      getData: cachedPromise(() => response.arrayBuffer().then((ab) => Buffer.from(ab)))
     };
   };
 };
@@ -372,12 +378,14 @@ const h = height;
 const s = resize;
 const pos = position;
 
-const SUPPORTED_FORMATS = ["jpeg", "png", "webp", "avif", "tiff"];
+const SUPPORTED_FORMATS = ["jpeg", "png", "webp", "avif", "tiff", "gif"];
 function createIPX(userOptions) {
   const defaults = {
     dir: getEnv("IPX_DIR", "."),
     domains: getEnv("IPX_DOMAINS", []),
     alias: getEnv("IPX_ALIAS", {}),
+    fetchOptions: getEnv("IPX_FETCH_OPTIONS", {}),
+    maxAge: getEnv("IPX_MAX_AGE", 300),
     sharp: {}
   };
   const options = defu(userOptions, defaults);
@@ -387,12 +395,15 @@ function createIPX(userOptions) {
   };
   if (options.dir) {
     ctx.sources.filesystem = createFilesystemSource({
-      dir: options.dir
+      dir: options.dir,
+      maxAge: options.maxAge
     });
   }
   if (options.domains) {
     ctx.sources.http = createHTTPSource({
-      domains: options.domains
+      domains: options.domains,
+      fetchOptions: options.fetchOptions,
+      maxAge: options.maxAge
     });
   }
   return function ipx(id, modifiers = {}, reqOptions = {}) {
@@ -408,7 +419,7 @@ function createIPX(userOptions) {
     const getSrc = cachedPromise(() => {
       const source = hasProtocol(id) ? "http" : "filesystem";
       if (!ctx.sources[source]) {
-        throw createError("Unknown source: " + source, 400);
+        throw createError("Unknown source", 400, source);
       }
       return ctx.sources[source](id, reqOptions);
     });
@@ -428,10 +439,7 @@ function createIPX(userOptions) {
           meta
         };
       }
-      const animated = modifiers.animated !== void 0 || modifiers.a !== void 0;
-      if (animated) {
-        format = "webp";
-      }
+      const animated = modifiers.animated !== void 0 || modifiers.a !== void 0 || format === "gif";
       const Sharp = await import('sharp').then((r) => r.default || r);
       let sharp = Sharp(data, { animated });
       Object.assign(sharp.options, options.sharp);
@@ -464,6 +472,8 @@ function createIPX(userOptions) {
   };
 }
 
+const MODIFIER_SEP = /[,&]/g;
+const MODIFIER_VAL_SEP = /[_=:]/g;
 async function _handleRequest(req, ipx) {
   const res = {
     statusCode: 200,
@@ -471,19 +481,19 @@ async function _handleRequest(req, ipx) {
     headers: {},
     body: ""
   };
-  const [modifiersStr = "", ...idSegments] = req.url.substr(1).split("/");
-  const id = decode(idSegments.join("/"));
+  const [modifiersStr = "", ...idSegments] = req.url.substring(1).split("/");
+  const id = safeString(decode(idSegments.join("/")));
   if (!modifiersStr) {
-    throw createError("Modifiers is missing in path: " + req.url, 400);
+    throw createError("Modifiers are missing", 400, req.url);
   }
   if (!id || id === "/") {
-    throw createError("Resource id is missing: " + req.url, 400);
+    throw createError("Resource id is missing", 400, req.url);
   }
   const modifiers = /* @__PURE__ */ Object.create(null);
   if (modifiersStr !== "_") {
-    for (const p of modifiersStr.split(",")) {
-      const [key, value = ""] = p.split("_");
-      modifiers[key] = decode(value);
+    for (const p of modifiersStr.split(MODIFIER_SEP)) {
+      const [key, value = ""] = p.split(MODIFIER_VAL_SEP);
+      modifiers[safeString(key)] = safeString(decode(value));
     }
   }
   const img = ipx(id, modifiers, req.options);
@@ -497,7 +507,7 @@ async function _handleRequest(req, ipx) {
     }
     res.headers["Last-Modified"] = +src.mtime + "";
   }
-  if (src.maxAge !== void 0) {
+  if (typeof src.maxAge === "number") {
     res.headers["Cache-Control"] = `max-age=${+src.maxAge}, public, s-maxage=${+src.maxAge}`;
   }
   const { data, format } = await img.data();
@@ -511,21 +521,21 @@ async function _handleRequest(req, ipx) {
     res.headers["Content-Type"] = `image/${format}`;
   }
   res.body = data;
-  return res;
+  return sanetizeReponse(res);
 }
 function handleRequest(req, ipx) {
   return _handleRequest(req, ipx).catch((err) => {
     const statusCode = parseInt(err.statusCode) || 500;
-    const statusMessage = err.statusMessage ? xss(err.statusMessage) : `IPX Error (${statusCode})`;
+    const statusMessage = err.statusMessage ? err.statusMessage : `IPX Error (${statusCode})`;
     if (process.env.NODE_ENV !== "production" && statusCode === 500) {
       console.error(err);
     }
-    return {
+    return sanetizeReponse({
       statusCode,
       statusMessage,
-      body: statusMessage,
+      body: "IPX Error: " + err,
       headers: {}
-    };
+    });
   });
 }
 function createIPXMiddleware(ipx) {
@@ -540,5 +550,23 @@ function createIPXMiddleware(ipx) {
     });
   };
 }
+function sanetizeReponse(res) {
+  return {
+    statusCode: res.statusCode || 200,
+    statusMessage: res.statusMessage ? safeString(res.statusMessage) : "OK",
+    headers: safeStringObject(res.headers || {}),
+    body: typeof res.body === "string" ? xss(safeString(res.body)) : res.body || ""
+  };
+}
+function safeString(input) {
+  return JSON.stringify(input).replace(/^"|"$/g, "");
+}
+function safeStringObject(input) {
+  const dst = {};
+  for (const key in input) {
+    dst[key] = safeString(input[key]);
+  }
+  return dst;
+}
 
 export { createIPXMiddleware as a, createIPX as c, handleRequest as h };

package/dist/cli.cjs

@@ -8,7 +8,6 @@ require('image-meta');
 require('ufo');
 require('fs');
 require('pathe');
-require('is-valid-path');
 require('http');
 require('https');
 require('ohmyfetch');

package/dist/cli.mjs

@@ -6,7 +6,6 @@ import 'image-meta';
 import 'ufo';
 import 'fs';
 import 'pathe';
-import 'is-valid-path';
 import 'http';
 import 'https';
 import 'ohmyfetch';

package/dist/index.cjs

@@ -8,7 +8,6 @@ require('image-meta');
 require('ufo');
 require('fs');
 require('pathe');
-require('is-valid-path');
 require('http');
 require('https');
 require('ohmyfetch');

package/dist/index.d.ts

@@ -6,7 +6,7 @@ interface SourceData {
     getData: () => Promise<Buffer>;
 }
 declare type Source = (src: string, reqOptions?: any) => Promise<SourceData>;
-declare type SourceFactory = (options?: any) => Source;
+declare type SourceFactory<T = Record<string, any>> = (options: T) => Source;
 
 interface ImageMeta {
     width: number;
@@ -27,8 +27,10 @@ declare type IPX = (id: string, modifiers?: Record<string, string>, reqOptions?:
 };
 interface IPXOptions {
     dir?: false | string;
+    maxAge?: number;
     domains?: false | string[];
     alias: Record<string, string>;
+    fetchOptions: RequestInit;
     sharp?: {
         [key: string]: any;
     };

package/dist/index.mjs

@@ -4,7 +4,6 @@ import 'image-meta';
 import 'ufo';
 import 'fs';
 import 'pathe';
-import 'is-valid-path';
 import 'http';
 import 'https';
 import 'ohmyfetch';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ipx",
-  "version": "0.9.4",
+  "version": "0.9.6",
   "repository": "unjs/ipx",
   "license": "MIT",
   "exports": {
@@ -17,43 +17,42 @@
     "dist",
     "bin"
   ],
-  "scripts": {
-    "build": "unbuild",
-    "dev": "nodemon",
-    "lint": "eslint --ext .ts .",
-    "prepack": "yarn build",
-    "release": "yarn test && standard-version && git push --follow-tags && npm publish",
-    "start": "node bin/ipx.js",
-    "test": "yarn lint && jest"
-  },
   "dependencies": {
     "consola": "^2.15.3",
-    "defu": "^5.0.1",
-    "destr": "^1.1.0",
+    "defu": "^6.0.0",
+    "destr": "^1.1.1",
     "etag": "^1.8.1",
     "image-meta": "^0.1.1",
-    "is-valid-path": "^0.1.1",
-    "listhen": "^0.2.6",
-    "ohmyfetch": "^0.4.15",
-    "pathe": "^0.2.0",
-    "sharp": "^0.30.1",
-    "ufo": "^0.7.10",
-    "xss": "^1.0.10"
+    "listhen": "^0.2.13",
+    "ohmyfetch": "^0.4.18",
+    "pathe": "^0.3.0",
+    "sharp": "^0.30.6",
+    "ufo": "^0.8.4",
+    "xss": "^1.0.13"
   },
   "devDependencies": {
     "@nuxtjs/eslint-config-typescript": "latest",
     "@types/etag": "latest",
     "@types/is-valid-path": "latest",
-    "@types/jest": "latest",
     "@types/node-fetch": "latest",
     "@types/sharp": "latest",
+    "c8": "latest",
     "eslint": "latest",
-    "jest": "latest",
     "jiti": "latest",
     "nodemon": "latest",
+    "serve-handler": "^6.1.3",
     "standard-version": "latest",
-    "ts-jest": "latest",
     "typescript": "latest",
-    "unbuild": "latest"
+    "unbuild": "latest",
+    "vitest": "latest"
+  },
+  "packageManager": "pnpm@7.3.0",
+  "scripts": {
+    "build": "unbuild",
+    "dev": "nodemon",
+    "lint": "eslint --ext .ts .",
+    "release": "pnpm test && standard-version && git push --follow-tags && pnpm publish",
+    "start": "node bin/ipx.js",
+    "test": "pnpm lint && vitest run --coverage"
   }
-}
+}