nuxt-og-image 6.2.4 → 6.2.6

package/dist/runtime/server/og-image/core/plugins/imageSrc.js

@@ -6,6 +6,56 @@ import { decodeHtml } from "../../../util/encoding.js";
 import { logger } from "../../../util/logger.js";
 import { getImageDimensions } from "../../utils/image-detector.js";
 import { defineTransformer } from "../plugins.js";
+const RE_IPV6_BRACKETS = /^\[|\]$/g;
+const RE_MAPPED_V4 = /^::ffff:(\d+\.\d+\.\d+\.\d+)$/;
+const RE_DIGIT_ONLY = /^\d+$/;
+const RE_INT_IP = /^(?:0x[\da-f]+|\d+)$/i;
+function isPrivateIPv4(a, b) {
+  if (a === 127)
+    return true;
+  if (a === 10)
+    return true;
+  if (a === 172 && b >= 16 && b <= 31)
+    return true;
+  if (a === 192 && b === 168)
+    return true;
+  if (a === 169 && b === 254)
+    return true;
+  if (a === 0)
+    return true;
+  return false;
+}
+function isBlockedUrl(url) {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    return true;
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:")
+    return true;
+  const hostname = parsed.hostname.toLowerCase();
+  const bare = hostname.replace(RE_IPV6_BRACKETS, "");
+  if (bare === "localhost" || bare.endsWith(".localhost"))
+    return true;
+  const mappedV4 = bare.match(RE_MAPPED_V4);
+  const ip = mappedV4 ? mappedV4[1] : bare;
+  const parts = ip.split(".");
+  if (parts.length === 4 && parts.every((p) => RE_DIGIT_ONLY.test(p))) {
+    const octets = parts.map(Number);
+    if (octets.some((o) => o > 255))
+      return true;
+    return isPrivateIPv4(octets[0], octets[1]);
+  }
+  if (RE_INT_IP.test(ip)) {
+    const num = Number(ip);
+    if (!Number.isNaN(num) && num >= 0 && num <= 4294967295)
+      return isPrivateIPv4(num >> 24 & 255, num >> 16 & 255);
+  }
+  if (bare === "::1" || bare.startsWith("fc") || bare.startsWith("fd") || bare.startsWith("fe80"))
+    return true;
+  return false;
+}
 const RE_URL_LEADING = /^url\(['"]?/;
 const RE_URL_TRAILING = /['"]?\)$/;
 async function resolveLocalFilePathImage(publicStoragePath, src) {
@@ -50,14 +100,19 @@ export default defineTransformer([
         }
       } else if (!src.startsWith("data:")) {
         src = decodeHtml(src);
-        node.props.src = src;
-        imageBuffer = await $fetch(src, {
-          responseType: "arrayBuffer"
-        }).catch(() => {
-        });
-        if (imageBuffer) {
-          const buffer = imageBuffer instanceof ArrayBuffer ? imageBuffer : imageBuffer.buffer;
-          node.props.src = toBase64Image(buffer);
+        if (!import.meta.dev && isBlockedUrl(src)) {
+          logger.warn(`Blocked internal image fetch: ${src}`);
+          delete node.props.src;
+        } else {
+          node.props.src = src;
+          imageBuffer = await $fetch(src, {
+            responseType: "arrayBuffer"
+          }).catch(() => {
+          });
+          if (imageBuffer) {
+            const buffer = imageBuffer instanceof ArrayBuffer ? imageBuffer : imageBuffer.buffer;
+            node.props.src = toBase64Image(buffer);
+          }
         }
       }
       if (typeof node.props.width === "string")
@@ -115,10 +170,16 @@ export default defineTransformer([
           }
         }
       } else {
-        imageBuffer = await $fetch(decodeHtml(src), {
-          responseType: "arrayBuffer"
-        }).catch(() => {
-        });
+        const decodedSrc = decodeHtml(src);
+        if (!import.meta.dev && isBlockedUrl(decodedSrc)) {
+          logger.warn(`Blocked internal background-image fetch: ${decodedSrc}`);
+          delete node.props.style.backgroundImage;
+        } else {
+          imageBuffer = await $fetch(decodedSrc, {
+            responseType: "arrayBuffer"
+          }).catch(() => {
+          });
+        }
       }
       if (imageBuffer) {
         const buffer = imageBuffer instanceof ArrayBuffer ? imageBuffer : imageBuffer.buffer;

package/dist/runtime/server/og-image/takumi/renderer.js

@@ -102,10 +102,12 @@ async function createImage(event, format) {
       }
     }
   }));
-  const dpr = options.takumi?.devicePixelRatio ?? 1;
+  const maxDpr = event.runtimeConfig.security?.maxDpr || 2;
+  const maxDim = event.runtimeConfig.security?.maxDimension || 2048;
+  const dpr = Math.min(Math.max(1, options.takumi?.devicePixelRatio ?? 1), maxDpr);
   const renderOptions = defu(options.takumi, {
-    width: Number(options.width) * dpr,
-    height: Number(options.height) * dpr,
+    width: Math.min(Number(options.width) * dpr, maxDim),
+    height: Math.min(Number(options.height) * dpr, maxDim),
     format,
     fetchedResources,
     devicePixelRatio: dpr

package/dist/runtime/server/util/eventHandlers.js

@@ -1,5 +1,5 @@
 import { getSiteConfig } from "#site-config/server/composables/getSiteConfig";
-import { createError, H3Error, setHeader } from "h3";
+import { createError, getRequestHost, H3Error, setHeader } from "h3";
 import { logger } from "../../logger.js";
 import { getBuildCachedImage, setBuildCachedImage } from "../og-image/cache/buildCache.js";
 import { resolveContext } from "../og-image/context.js";
@@ -15,7 +15,24 @@ export async function imageEventHandler(e) {
   if (ctx instanceof H3Error)
     return ctx;
   const { isDevToolsContextRequest, extension, renderer } = ctx;
-  const { debug, baseCacheKey } = useOgImageRuntimeConfig();
+  const { debug, baseCacheKey, security } = useOgImageRuntimeConfig();
+  if (!import.meta.prerender && !import.meta.dev && security?.restrictRuntimeImagesToOrigin) {
+    const siteHost = new URL(getSiteConfig(e).url).host;
+    const allowedHosts = [siteHost, ...security.restrictRuntimeImagesToOrigin.map((o) => {
+      try {
+        return new URL(o).host;
+      } catch {
+        return o;
+      }
+    })];
+    const requestHost = getRequestHost(e, { xForwardedHost: true });
+    if (!requestHost || !allowedHosts.includes(requestHost)) {
+      return createError({
+        statusCode: 403,
+        statusMessage: "[Nuxt OG Image] Host not allowed."
+      });
+    }
+  }
   if ((import.meta.dev || debug) && isDevToolsContextRequest) {
     setHeader(e, "Content-Type", "application/json");
     const [extract, rendererDebug] = await Promise.all([
@@ -82,9 +99,23 @@ export async function imageEventHandler(e) {
     return cacheApi;
   let image = cacheApi.cachedItem;
   if (!image) {
-    image = await renderer.createImage(ctx).catch((err) => {
+    const { security: security2 } = useOgImageRuntimeConfig();
+    const timeout = security2?.renderTimeout || 15e3;
+    let timer;
+    image = await Promise.race([
+      renderer.createImage(ctx),
+      new Promise((_, reject) => {
+        timer = setTimeout(() => reject(new Error(`OG image render timed out after ${timeout}ms`)), timeout);
+      })
+    ]).catch((err) => {
+      if (err?.message?.includes("timed out")) {
+        logger.error(`renderer.createImage timeout for ${e.path}`);
+        return createError({ statusCode: 408, statusMessage: `[Nuxt OG Image] Request timed out while waiting for OG image render.` });
+      }
       logger.error(`renderer.createImage error for ${e.path}:`, err?.stack || err?.message || err);
       throw err;
+    }).finally(() => {
+      clearTimeout(timer);
     });
     if (image instanceof H3Error)
       return image;

package/dist/runtime/shared.d.ts

@@ -5,5 +5,10 @@ export { buildOgImageUrl, decodeOgImageParams, encodeOgImageParams, extractEncod
 export declare function generateMeta(url: OgImagePrebuilt['url'] | string, resolvedOptions: OgImageOptions | OgImagePrebuilt): ResolvableMeta[];
 export declare function isInternalRoute(path: string): boolean;
 export declare function separateProps(options: OgImageOptions | undefined, ignoreKeys?: string[]): OgImageOptions;
+/**
+ * Strip HTML event handlers and dangerous attributes from props to prevent
+ * reflected XSS via Vue fallthrough attributes (GHSA-mg36-wvcr-m75h).
+ */
+export declare function sanitizeProps(props: Record<string, any>): Record<string, any>;
 export declare function withoutQuery(path: string): string | undefined;
 export declare function getExtension(path: string): string;

package/dist/runtime/shared.js

@@ -82,6 +82,16 @@ export function separateProps(options, ignoreKeys = []) {
     result.props = props;
   return result;
 }
+const DANGEROUS_ATTRS = /* @__PURE__ */ new Set(["autofocus", "contenteditable", "tabindex", "accesskey"]);
+export function sanitizeProps(props) {
+  const clean = {};
+  for (const key of Object.keys(props)) {
+    if (key.startsWith("on") || DANGEROUS_ATTRS.has(key.toLowerCase()))
+      continue;
+    clean[key] = props[key];
+  }
+  return clean;
+}
 export function withoutQuery(path) {
   return path.split("?")[0];
 }

package/dist/runtime/types.d.ts

@@ -54,6 +54,13 @@ export interface OgImageRuntimeConfig {
         provider?: BrowserProvider;
         binding?: string;
     };
+    security: {
+        maxDimension: number;
+        maxDpr: number;
+        renderTimeout: number;
+        maxQueryParamSize: number | null;
+        restrictRuntimeImagesToOrigin: false | string[];
+    };
     app: {
         baseURL: string;
     };
@@ -73,6 +80,8 @@ export interface OgImageComponent {
     category: 'app' | 'community' | 'pro';
     credits?: string;
     renderer: RendererType;
+    /** Declared prop names extracted from defineProps at build time (used for prop whitelisting) */
+    propNames?: string[];
 }
 export interface ScreenshotOptions {
     colorScheme?: 'dark' | 'light';

package/dist/shared/{nuxt-og-image.CvPWboEh.mjs → nuxt-og-image.CA6cPvTd.mjs}

@@ -2215,6 +2215,36 @@ function setupPrerenderHandler(options, resolve, getDetectedRenderers, nuxt = us
   });
 }
 
+let _parse;
+let _compileScript;
+async function loadSfcCompiler() {
+  if (!_parse) {
+    const sfc = await import('@vue/compiler-sfc');
+    _parse = sfc.parse;
+    _compileScript = sfc.compileScript;
+  }
+}
+function extractPropNamesFromVue(code) {
+  if (!_parse || !_compileScript)
+    return [];
+  let descriptor;
+  try {
+    descriptor = _parse(code).descriptor;
+  } catch {
+    return [];
+  }
+  if (!descriptor.scriptSetup)
+    return [];
+  try {
+    const compiled = _compileScript(descriptor, { id: "prop-extract" });
+    if (!compiled.bindings)
+      return [];
+    return Object.entries(compiled.bindings).filter(([, type]) => type === "props").map(([name]) => name);
+  } catch {
+    return [];
+  }
+}
+
 function isVue(id, opts = {}) {
   const { search } = parseURL(decodeURIComponent(pathToFileURL(id).href));
   if (id.endsWith(".vue") && !search) {
@@ -4123,6 +4153,9 @@ const module$1 = defineNuxtModule({
       logger.warn("Nuxt OG Image is enabled but SSR is disabled.\n\nYou should enable SSR (`ssr: true`) or disable the module (`ogImage: { enabled: false }`).");
       return;
     }
+    if (config.debug && !nuxt.options.dev) {
+      logger.warn("`ogImage.debug` is enabled in production. This exposes the `/_og/debug.json` endpoint and should not be enabled in production. Disable it before deploying.");
+    }
     const ogImageConfig = config;
     for (const key of Object.keys(REMOVED_CONFIG)) {
       if (key !== "chromium-node" && key !== "browser-node" && key in ogImageConfig && ogImageConfig[key] !== void 0) {
@@ -4652,6 +4685,7 @@ ${familyInfo}`);
         });
       }
     }
+    await loadSfcCompiler();
     nuxt.hook("components:extend", (components) => {
       allNuxtComponents = components;
       ogImageComponentCtx.components = [];
@@ -4682,6 +4716,7 @@ ${familyInfo}`);
             ogImageComponentCtx.detectedRenderers.add(renderer);
           const componentFile = fs.readFileSync(component.filePath, "utf-8");
           const credits = componentFile.split("\n").find((line) => line.startsWith(" * @credits"))?.replace("* @credits", "").trim();
+          const propNames = extractPropNamesFromVue(componentFile);
           ogImageComponentCtx.components.push({
             hash: hash(componentFile).replaceAll("_", "-"),
             pascalName: component.pascalName,
@@ -4689,7 +4724,8 @@ ${familyInfo}`);
             path: component.filePath,
             category,
             credits,
-            renderer
+            renderer,
+            propNames
           });
         }
       });
@@ -4713,13 +4749,15 @@ ${familyInfo}`);
             })) {
               return;
             }
+            const propNames = fs.statSync(filePath).isFile() ? extractPropNamesFromVue(fs.readFileSync(filePath, "utf-8")) : [];
             ogImageComponentCtx.components.push({
               hash: "",
               pascalName,
               kebabName: pascalName.replace(RE_PASCAL_TO_KEBAB, "$1-$2").toLowerCase(),
               path: filePath,
               category: "community",
-              renderer
+              renderer,
+              propNames
             });
           });
         }
@@ -4958,7 +4996,14 @@ export const rootDir = ${JSON.stringify(nuxt.options.rootDir)}`;
         browser: typeof config.browser === "object" ? {
           provider: config.browser.provider,
           binding: config.browser.binding
-        } : void 0
+        } : void 0,
+        security: {
+          maxDimension: config.security?.maxDimension ?? 2048,
+          maxDpr: config.security?.maxDpr ?? 2,
+          renderTimeout: config.security?.renderTimeout ?? 15e3,
+          maxQueryParamSize: config.security?.maxQueryParamSize ?? null,
+          restrictRuntimeImagesToOrigin: config.security?.restrictRuntimeImagesToOrigin === true ? [] : config.security?.restrictRuntimeImagesToOrigin || false
+        }
       };
       if (nuxt.options.dev) {
         runtimeConfig.componentDirs = config.componentDirs;

package/dist/shared/{nuxt-og-image.Ni0_6XZ0.cjs → nuxt-og-image.DVJetxwr.cjs}

@@ -2235,6 +2235,36 @@ function setupPrerenderHandler(options, resolve, getDetectedRenderers, nuxt = ki
   });
 }
 
+let _parse;
+let _compileScript;
+async function loadSfcCompiler() {
+  if (!_parse) {
+    const sfc = await import('@vue/compiler-sfc');
+    _parse = sfc.parse;
+    _compileScript = sfc.compileScript;
+  }
+}
+function extractPropNamesFromVue(code) {
+  if (!_parse || !_compileScript)
+    return [];
+  let descriptor;
+  try {
+    descriptor = _parse(code).descriptor;
+  } catch {
+    return [];
+  }
+  if (!descriptor.scriptSetup)
+    return [];
+  try {
+    const compiled = _compileScript(descriptor, { id: "prop-extract" });
+    if (!compiled.bindings)
+      return [];
+    return Object.entries(compiled.bindings).filter(([, type]) => type === "props").map(([name]) => name);
+  } catch {
+    return [];
+  }
+}
+
 function isVue(id, opts = {}) {
   const { search } = ufo.parseURL(decodeURIComponent(node_url.pathToFileURL(id).href));
   if (id.endsWith(".vue") && !search) {
@@ -4113,7 +4143,7 @@ const module$1 = kit.defineNuxtModule({
     await onUpgrade(nuxt, options, previousVersion);
   },
   async setup(config, nuxt) {
-    const _resolver = kit.createResolver((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('shared/nuxt-og-image.Ni0_6XZ0.cjs', document.baseURI).href)));
+    const _resolver = kit.createResolver((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('shared/nuxt-og-image.DVJetxwr.cjs', document.baseURI).href)));
     const fixSharedPath = (p) => {
       if (p.includes("/shared/runtime/"))
         return p.replace("/shared/runtime/", "/runtime/");
@@ -4143,6 +4173,9 @@ const module$1 = kit.defineNuxtModule({
       logger_js.logger.warn("Nuxt OG Image is enabled but SSR is disabled.\n\nYou should enable SSR (`ssr: true`) or disable the module (`ogImage: { enabled: false }`).");
       return;
     }
+    if (config.debug && !nuxt.options.dev) {
+      logger_js.logger.warn("`ogImage.debug` is enabled in production. This exposes the `/_og/debug.json` endpoint and should not be enabled in production. Disable it before deploying.");
+    }
     const ogImageConfig = config;
     for (const key of Object.keys(REMOVED_CONFIG)) {
       if (key !== "chromium-node" && key !== "browser-node" && key in ogImageConfig && ogImageConfig[key] !== void 0) {
@@ -4672,6 +4705,7 @@ ${familyInfo}`);
         });
       }
     }
+    await loadSfcCompiler();
     nuxt.hook("components:extend", (components) => {
       allNuxtComponents = components;
       ogImageComponentCtx.components = [];
@@ -4702,6 +4736,7 @@ ${familyInfo}`);
             ogImageComponentCtx.detectedRenderers.add(renderer);
           const componentFile = fs__namespace.readFileSync(component.filePath, "utf-8");
           const credits = componentFile.split("\n").find((line) => line.startsWith(" * @credits"))?.replace("* @credits", "").trim();
+          const propNames = extractPropNamesFromVue(componentFile);
           ogImageComponentCtx.components.push({
             hash: ohash.hash(componentFile).replaceAll("_", "-"),
             pascalName: component.pascalName,
@@ -4709,7 +4744,8 @@ ${familyInfo}`);
             path: component.filePath,
             category,
             credits,
-            renderer
+            renderer,
+            propNames
           });
         }
       });
@@ -4733,13 +4769,15 @@ ${familyInfo}`);
             })) {
               return;
             }
+            const propNames = fs__namespace.statSync(filePath).isFile() ? extractPropNamesFromVue(fs__namespace.readFileSync(filePath, "utf-8")) : [];
             ogImageComponentCtx.components.push({
               hash: "",
               pascalName,
               kebabName: pascalName.replace(RE_PASCAL_TO_KEBAB, "$1-$2").toLowerCase(),
               path: filePath,
               category: "community",
-              renderer
+              renderer,
+              propNames
             });
           });
         }
@@ -4978,7 +5016,14 @@ export const rootDir = ${JSON.stringify(nuxt.options.rootDir)}`;
         browser: typeof config.browser === "object" ? {
           provider: config.browser.provider,
           binding: config.browser.binding
-        } : void 0
+        } : void 0,
+        security: {
+          maxDimension: config.security?.maxDimension ?? 2048,
+          maxDpr: config.security?.maxDpr ?? 2,
+          renderTimeout: config.security?.renderTimeout ?? 15e3,
+          maxQueryParamSize: config.security?.maxQueryParamSize ?? null,
+          restrictRuntimeImagesToOrigin: config.security?.restrictRuntimeImagesToOrigin === true ? [] : config.security?.restrictRuntimeImagesToOrigin || false
+        }
       };
       if (nuxt.options.dev) {
         runtimeConfig.componentDirs = config.componentDirs;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "nuxt-og-image",
   "type": "module",
-  "version": "6.2.4",
+  "version": "6.2.6",
   "description": "Enlightened OG Image generation for Nuxt.",
   "author": {
     "website": "https://harlanzw.com",
@@ -108,9 +108,9 @@
     "magic-string": "^0.30.21",
     "magicast": "^0.5.2",
     "mocked-exports": "^0.1.1",
-    "nuxt-site-config": "^4.0.6",
-    "nuxtseo-layer-devtools": "^0.4.5",
-    "nuxtseo-shared": "^0.8.1",
+    "nuxt-site-config": "^4.0.7",
+    "nuxtseo-layer-devtools": "^5.0.1",
+    "nuxtseo-shared": "^5.0.1",
     "nypm": "^0.6.5",
     "ofetch": "^1.5.1",
     "ohash": "^2.0.11",
@@ -178,7 +178,7 @@
     "typescript": "^6.0.2",
     "unifont": "^0.7.4",
     "unocss": "^66.6.7",
-    "vitest": "^4.1.1",
+    "vitest": "^4.1.2",
     "vue-tsc": "^3.2.6",
     "wrangler": "^4.77.0",
     "yoga-wasm-web": "^0.3.3"

package/dist/devtools/_nuxt/CGddsLij.js

@@ -1 +0,0 @@
-import{C as e,Ot as t,T as n,Tt as r,U as i,_ as a,at as o,g as s,h as c,jt as l,q as u,v as d,y as f}from"./D2zWjF09.js";import{bt as p,v as m}from"./Co3OAyKc.js";import{a as h,d as g,n as _}from"#entry";function v(e=2e3){let{copy:t,copied:n}=p({legacy:!0,copiedDuring:e});return{copy:t,copied:n}}var y=Object.assign(n({__name:`DevtoolsCopyButton`,props:{text:{}},setup(n){let{copy:s,copied:c}=v();return(l,u)=>{let d=h,f=m;return i(),a(f,{text:r(c)?`Copied!`:`Copy`},{default:o(()=>[e(d,{icon:r(c)?`carbon:checkmark`:`carbon:copy`,"aria-label":r(c)?`Copied`:`Copy to clipboard`,class:t(r(c)?`text-[var(--seo-green)]`:``),onClick:u[0]||=e=>r(s)(n.text)},null,8,[`icon`,`aria-label`,`class`])]),_:1},8,[`text`])}}}),{__name:`DevtoolsCopyButton`}),b=[`innerHTML`],x=Object.assign(n({__name:`OCodeBlock`,props:{code:{},lang:{},lines:{type:Boolean,default:!1},transformRendered:{type:Function}},setup(e){let n=c(()=>{let t=_(e.code,e.lang);return e.transformRendered?e.transformRendered(t.value||``):t.value});return(a,o)=>(i(),f(`pre`,{class:t([`code-block p-5`,e.lines?`code-block-lines`:``]),innerHTML:r(n)},null,10,b))}}),{__name:`OCodeBlock`}),S={class:`devtools-snippet`},C={key:0,class:`devtools-snippet-header`},w={class:`devtools-snippet-label`},T=Object.assign(g(n({__name:`DevtoolsSnippet`,props:{label:{},code:{},lang:{default:`js`}},setup(t){return(n,r)=>{let a=y,o=x;return i(),f(`div`,S,[t.label||n.$slots.header?(i(),f(`div`,C,[u(n.$slots,`header`,{},()=>[s(`code`,w,l(t.label),1)],!0),e(a,{text:t.code},null,8,[`text`])])):d(``,!0),e(o,{code:t.code,lang:t.lang,class:`devtools-snippet-block`},null,8,[`code`,`lang`])])}}}),[[`__scopeId`,`data-v-a6534a8f`]]),{__name:`DevtoolsSnippet`});export{T as t};