heesungjang
commented
2 years ago Hi @blazitycoo, do you mind sharing some examples of security acctacks that might happen if i allow all possible domians for an image url? thanks in advance!!
Closed avbeladiya closed 2 years ago
heesungjang
commented
2 years ago Hi @blazitycoo, do you mind sharing some examples of security acctacks that might happen if i allow all possible domians for an image url? thanks in advance!!
bmstefanski
commented
2 years ago hi @heesungjang, sure thing, and thanks for the question 😄 I am not a security guy, but allowing a random host to use your image optimization server seems like a vulnerability. You don't know what type of file it is and once it lands on the server they could, in theory, do anything. I bet it is not an issue while you're using Vercel, because they use AWS Lambdas under the hood and they're sandboxed by default, so a infected file couldn't break anything important. But yeah, overall it seems like a dangerous thing to do, especially if you're hosting it on a basic node instance.
read more here: https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
bmstefanski
commented
2 years ago Let me know if this answers your question. Just wanted to point out again that I am not a security person, so please don't take my word for it!
heesungjang
commented
2 years ago @bmstefanski Didn't expect I'd get a response this quick, thanks for your reply!! Your explanation is more than enough for me at the moment. I'm pretty new to Next.js and web development as well.
I was just a bit shocked by realising the image URL is a path to a file and this could really be anything and I have never thought about it while using the img tag before Next.js.
Hi, technically you can, but I wouldn't recommend that, because it'll make your app more prone to some forms of security attacks