Merge commit from fork

* fix: sanitize user-media svg api endpoint using isomorphic dompurify * fix: add iframe sandbox to prevent priviledge escalation
2025-11-14 18:00:15 +01:00
parent d33cfe211a
commit aaa23f3732
5 changed files with 118 additions and 5 deletions
--- a/apps/nextjs/next.config.ts
+++ b/apps/nextjs/next.config.ts
@@ -25,8 +25,9 @@ const nextConfig: NextConfig = {
  typescript: { ignoreBuildErrors: true },
  /**
   * dockerode is required in the external server packages because of https://github.com/homarr-labs/homarr/issues/612
+   * isomorphic-dompurify and jsdom are required, see https://github.com/kkomelin/isomorphic-dompurify/issues/356
   */
-  serverExternalPackages: ["dockerode"],
+  serverExternalPackages: ["dockerode", "isomorphic-dompurify", "jsdom"],
  experimental: {
    optimizePackageImports: ["@mantine/core", "@mantine/hooks", "@tabler/icons-react"],
    turbopackFileSystemCacheForDev: true,
--- a/apps/nextjs/package.json
+++ b/apps/nextjs/package.json
@@ -75,6 +75,7 @@
    "dotenv": "^17.2.3",
    "flag-icons": "^7.5.0",
    "glob": "^11.0.3",
+    "isomorphic-dompurify": "^2.32.0",
    "jotai": "^2.15.1",
    "mantine-react-table": "2.0.0-beta.9",
    "next": "16.0.1",
--- a/apps/nextjs/src/app/api/user-medias/[id]/route.ts
+++ b/apps/nextjs/src/app/api/user-medias/[id]/route.ts
@@ -1,6 +1,7 @@
 import { notFound } from "next/navigation";
 import { NextResponse } from "next/server";
 import type { NextRequest } from "next/server";
+import DOMPurify from "isomorphic-dompurify";

 import { db, eq } from "@homarr/db";
 import { medias } from "@homarr/db/schema";
@@ -19,11 +20,24 @@ export async function GET(_req: NextRequest, props: { params: Promise<{ id: stri
    notFound();
  }

+  let content = new Uint8Array(image.content);
+
+  // Sanitize SVG content to prevent XSS attacks
+  if (image.contentType === "image/svg+xml" || image.contentType === "image/svg") {
+    const svgText = new TextDecoder().decode(content);
+    const sanitized = DOMPurify.sanitize(svgText, {
+      USE_PROFILES: { svg: true, svgFilters: true },
+    });
+    content = new TextEncoder().encode(sanitized);
+  }
+
  const headers = new Headers();
  headers.set("Content-Type", image.contentType);
-  headers.set("Content-Length", image.content.length.toString());
+  headers.set("Content-Length", content.length.toString());
+  headers.set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox");
+  headers.set("X-Content-Type-Options", "nosniff");

-  return new NextResponse(new Uint8Array(image.content), {
+  return new NextResponse(content, {
    status: 200,
    headers,
  });