Skip to content

Comments

fix: correctness bugs, security hardening, and code cleanup#2777

Merged
ryanfowler merged 1 commit intomainfrom
fix/bugs-security-cleanup
Feb 10, 2026
Merged

fix: correctness bugs, security hardening, and code cleanup#2777
ryanfowler merged 1 commit intomainfrom
fix/bugs-security-cleanup

Conversation

@ryanfowler
Copy link
Owner

  • Use ?? instead of || in applyFormat() so effort=0 is not silently replaced by the preset default
  • Return 502 instead of 400 for upstream-caused fetch errors (too many redirects, no body, unable to make request)
  • Validate user-supplied content-type in pipeline S3 uploads to prevent stored XSS via types like text/html
  • Replace ACL type hack with conditional spread in s3.ts
  • Remove dead commented-out format detection code (BMP, ICO, PSD, HEIF)
  • Document DNS rebinding TOCTOU limitation in fetch.ts

- Use ?? instead of || in applyFormat() so effort=0 is not silently
  replaced by the preset default
- Return 502 instead of 400 for upstream-caused fetch errors (too many
  redirects, no body, unable to make request)
- Validate user-supplied content-type in pipeline S3 uploads to prevent
  stored XSS via types like text/html
- Replace ACL type hack with conditional spread in s3.ts
- Remove dead commented-out format detection code (BMP, ICO, PSD, HEIF)
- Document DNS rebinding TOCTOU limitation in fetch.ts
@ryanfowler ryanfowler force-pushed the fix/bugs-security-cleanup branch from ea1978e to 3c2cc74 Compare February 10, 2026 16:52
@ryanfowler ryanfowler merged commit e90de33 into main Feb 10, 2026
3 checks passed
@ryanfowler ryanfowler deleted the fix/bugs-security-cleanup branch February 10, 2026 16:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant