umputun / remark42

85%

LAST BUILD ON BRANCH master

branch: master

CHANGE BRANCH

x

Reset

Sync Branches

• master
• 32/code-colors-styles
• 965-fix-error-on-restricted-words
• Ksinia/master
• add-api-sdk
• add-cssnano
• add-module-type
• add-security-headers
• admin-edit
• admin_email_notifications
• ak/cleanup-comment-form
• ak/compose-button-styles
• ak/raw-content-styles
• ak/update-node
• akellbl4/editorconfig
• aliksend/reduce-number-of-symbols-in-tg-message
• anon-names
• autofill-email-for-subscription
• battle-net-oauth2
• bem-to-css-modules-batch1
• blackfriday
• bluemonday-bump
• bump-auth-oauth-redirect-fix
• bump-deps
• bump_ci_go_version
• bump_lcw
• bump_modules
• bump_tollbooth
• chore-deps-bump-go-modules
• chore/update-go-deps-2026-04
• ci-workflows
• code-colors
• code_cleanup
• commento-import
• configurable-microsoft-tenant
• copilot/sub-pr-1995
• dependabot/github_actions/github-actions-updates-8173ff9682
• dependabot/go_modules/backend/_example/memory_store/github.com/go-chi/chi/v5-5.2.2
• dependabot/go_modules/backend/_example/memory_store/golang.org/x/crypto-0.45.0
• dependabot/go_modules/backend/_example/memory_store/golang.org/x/image-0.38.0
• dependabot/go_modules/backend/_example/memory_store/golang.org/x/image-0.5.0
• dependabot/go_modules/backend/_example/memory_store/golang.org/x/net-0.38.0
• dependabot/go_modules/backend/_example/memory_store/golang.org/x/net-0.7.0
• dependabot/go_modules/backend/github.com/golang-jwt/jwt/v5-5.2.2
• dependabot/go_modules/backend/github.com/redis/go-redis/v9-9.7.3
• dependabot/go_modules/backend/github.com/slack-go/slack-0.23.1
• dependabot/go_modules/backend/go-modules-updates-3d96251ff3
• dependabot/go_modules/backend/go-modules-updates-47fdc5c9f4
• dependabot/go_modules/backend/go-modules-updates-75c1c3f47e
• dependabot/go_modules/backend/go-modules-updates-76e35b2467
• dependabot/go_modules/backend/go-modules-updates-81f599025a
• dependabot/go_modules/backend/go-modules-updates-e61953c257
• dependabot/go_modules/backend/go-modules-updates-f692995c50
• dependabot/go_modules/backend/golang.org/x/crypto-0.45.0
• dependabot/go_modules/backend/golang.org/x/net-0.36.0
• dependabot/go_modules/backend/google.golang.org/protobuf-1.33.0
• dependabot/npm_and_yarn/frontend/apps/remark42/npm-modules-updates-33950cb83c
• dependabot/npm_and_yarn/frontend/apps/remark42/npm-modules-updates-for-tests-da749204ba
• dependabot/npm_and_yarn/frontend/e2e/npm-modules-updates-for-tests-32faa27b51
• dependabot/npm_and_yarn/frontend/packages/api/npm-modules-updates-for-tests-f28c5bd690
• dependabot/npm_and_yarn/frontend/playwright-1.55.1
• dependabot/npm_and_yarn/site/braces-3.0.3
• dependabot/npm_and_yarn/site/ejs-3.1.10
• dependabot/npm_and_yarn/site/js-yaml-3.14.2
• dependabot/npm_and_yarn/site/luxon-2.5.2
• dependabot/npm_and_yarn/site/micromatch-4.0.8
• dependabot/npm_and_yarn/site/nanoid-3.3.8
• dependabot/npm_and_yarn/site/node-fetch-3.2.10
• dependabot/npm_and_yarn/site/npm-modules-updates-for-tests-284cb22f28
• dependabot/npm_and_yarn/site/npm-modules-updates-for-tests-87ff55c30d
• dependabot/npm_and_yarn/site/ws-8.17.1
• deps-bump
• disqus-empty-username-bug
• disqus-fix
• distributed_cache
• docker-native-arm64-runners
• docker_bump
• docs/edit-time-zero-behavior
• docs/placeholder-1990
• docs/telegram-group-notifications
• dverhoturov/docker
• dverhoturov/docker_ci_build
• dverhoturov/privatePreview
• dverhoturov/renew_image_on_load
• dverhoturov/validate_image_before_post
• e2e
• editorconfig-double-quotes-yml
• email-encode-subject
• email-from-display-name
• examples-ci-issue
• feat/custom-oauth2-provider
• feature/comment-approval
• fix-admin-names
• fix-deprecated-flags
• fix-iframe-resize
• fix-image-decompression-bomb
• fix-image-proxy-xss-content-type-spoofing
• fix-img-submit-import-stuck
• fix-negative-comments-count
• fix-typo
• fix/auth-send-jwt-header
• fix/frontend-css-cleanup
• fix/quick-fixes-1946-1991-1996
• fix/security-ipv6-ssrf
• fix/writeheader-renderjson-bug-1979
• fix_error_wrap
• fix_memory_store_tests_panic
• fix_unclosed_body
• frame-ancestors
• frontend-infrastructure
• full-text-search
• generate-telegram-translations
• github_golangci_lint
• go-1.14
• go-1.17
• go-consistent
• gocritic
• golangci-lint-v2-migration
• harden-deploy-permissions
• hide-vote-iphash
• image-rpc
• image_interface_fixes
• img_commit_on_start
• img_fixes
• img_route_verification
• img_types
• jwt-migration
• lazy-image
• links-rune
• listen-address
• migrate-to-testing-library
• mkdocs
• move-email-templates-to-separate-files
• move-subscribe-ui-elements
• named-exports
• new-auth
• packages
• paskal/CWE-918
• paskal/allow_dash_in_email_siteid
• paskal/allowed_domains_exact_match
• paskal/allowed_hosts
• paskal/apple
• paskal/apple_bad_key_test
• paskal/apple_frontend
• paskal/aud_per_site
• paskal/auth_fixes
• paskal/better_info
• paskal/borderless_qr
• paskal/bump-ci
• paskal/bump_actions
• paskal/bump_auth
• paskal/bump_chroma
• paskal/bump_dependencies
• paskal/bump_go_modules
• paskal/bump_golangci_lint
• paskal/bump_mockery
• paskal/bump_modules
• paskal/bump_tollbooth
• paskal/chi_render
• paskal/clarify_cache_for_frontend
• paskal/clarify_commands
• paskal/clarify_docs
• paskal/clarify_email_notifications
• paskal/clarify_notifications
• paskal/clarify_password
• paskal/clean_stream
• paskal/clean_title_and_username
• paskal/cleanup_images_on_delete
• paskal/close_body
• paskal/comment_validation
• paskal/commento_url
• paskal/comments_pagination
• paskal/consistent_info
• paskal/csp
• paskal/data_race
• paskal/datastore_info_combine
• paskal/debug_verify
• paskal/dependabot
• paskal/deprecate_twitter
• paskal/deprecated_notifications
• paskal/deprecated_params
• paskal/deprecation_update
• paskal/dev_provider
• paskal/disable_md_sanitize
• paskal/discord_poc
• paskal/doc_split
• paskal/docker-compose
• paskal/docker_labels
• paskal/docs
• paskal/docs_from_wiki
• paskal/duplicate_types
• paskal/easy_subscription
• paskal/email
• paskal/email_login_auth
• paskal/email_subscription_post
• paskal/err_fix
• paskal/find_tests
• paskal/fix_avatar_types
• paskal/fix_backup_error
• paskal/fix_commento_import
• paskal/fix_docker
• paskal/fix_double_close
• paskal/fix_email_templates
• paskal/fix_golangci_lint
• paskal/fix_image_proxy
• paskal/fix_img_src_CSP
• paskal/fix_links
• paskal/fix_log
• paskal/fix_logout
• paskal/fix_notify_deprecation
• paskal/fix_refresh_tokens_cache
• paskal/fix_telegram_auth
• paskal/fix_telegram_cli
• paskal/fix_telegram_escape
• paskal/fix_telegram_format
• paskal/fix_ticker
• paskal/fix_timeout
• paskal/fix_variable
• paskal/fix_webhook_json
• paskal/generic_fixes
• paskal/get_rid_of_dockerhub
• paskal/go_embed
• paskal/go_embed_templates
• paskal/golangci-lint-update
• paskal/golangci_lint
• paskal/golangci_lint_v2
• paskal/golangcilint_bump
• paskal/image_proxy_blacklist
• paskal/improve_docker_build
• paskal/improve_get_user
• paskal/improve_server_test
• paskal/improve_telegram_flow
• paskal/improve_telegram_notify
• paskal/improve_tests
• paskal/increase_timeout
• paskal/jwt_v5
• paskal/lcw_v2
• paskal/md_ci
• paskal/min_comment_size
• paskal/modules_update
• paskal/moq
• paskal/multiple-admin-emails
• paskal/new_errors
• paskal/new_telegram_key
• paskal/no_getstarted
• paskal/no_mod_vendor
• paskal/no_path
• paskal/notifications_rework
• paskal/notify
• paskal/notify-drops-tail
• paskal/notify_drops_test
• paskal/notify_improvements
• paskal/notify_migration
• paskal/optimise_images
• paskal/pagination_fixes
• paskal/params
• paskal/pngcrush
• paskal/privatePreview
• paskal/proper_site_id
• paskal/raw_quotes
• paskal/readonly_find_test
• paskal/recursive_email_notifications
• paskal/remove-deprecated-func
• paskal/remove_common_shared_secret
• paskal/remove_deprecated_param
• paskal/remove_put
• paskal/renew_cache_on_delete
• paskal/rpc_panic
• paskal/secret-clarify
• paskal/send_jwt_header
• paskal/simlify_boltdb_info
• paskal/simplify_admin_emails
• paskal/simplify_extract_pictures
• paskal/siteid_dot
• paskal/small_improvements
• paskal/telegram-update
• paskal/telegram_auth
• paskal/telegram_channel
• paskal/telegram_notifications
• paskal/telegram_notify
• paskal/telegram_notify_clarity
• paskal/telegram_notify_params
• paskal/test_user_replies
• paskal/tests
• paskal/tests_cleanup
• paskal/tg_qr
• paskal/token_instructions
• paskal/twitter_blockquote_class
• paskal/typos
• paskal/update-go-modules
• paskal/update-gopkgz
• paskal/update-images
• paskal/update_discreet_variables
• paskal/update_doc
• paskal/update_dockerfiles
• paskal/update_go
• paskal/update_modules
• paskal/user_detail_telegram
• patch-1
• patch-2
• patreon-auth
• pkgs-rename
• postmessage-to-child
• proxy_image_commit
• proxy_images
• refactor-before-search
• refactor/go-fix-modernize
• refs/tags/backend/v1.10.0
• refs/tags/backend/v1.11.0
• refs/tags/backend/v1.11.2
• refs/tags/backend/v1.11.3
• refs/tags/backend/v1.12.0
• refs/tags/backend/v1.13.0
• refs/tags/backend/v1.13.1
• refs/tags/backend/v1.14.0
• refs/tags/backend/v1.16.0
• refs/tags/backend/v1.6.0
• refs/tags/backend/v1.6.1
• refs/tags/backend/v1.7.0
• refs/tags/backend/v1.7.1
• refs/tags/backend/v1.8.1
• refs/tags/backend/v1.9.0
• refs/tags/backend/v1/11/3
• refs/tags/v.1.9.0
• refs/tags/v1.10.0
• refs/tags/v1.10.1
• refs/tags/v1.11.0
• refs/tags/v1.11.1
• refs/tags/v1.11.2
• refs/tags/v1.11.3
• refs/tags/v1.12.0
• refs/tags/v1.12.1
• refs/tags/v1.13.0
• refs/tags/v1.13.1
• refs/tags/v1.14.0
• refs/tags/v1.15.0
• refs/tags/v1.16.0
• refs/tags/v1.30.0
• refs/tags/v1.6.0
• refs/tags/v1.6.1
• refs/tags/v1.7.0
• refs/tags/v1.7.1
• refs/tags/v1.8.0
• refs/tags/v1.8.1
• refs/tags/v1.9.0
• refs/tags/v1.9.1
• refs/tags/v1.9.2
• remark42-pr-fix-quotedprintable-buff-flush
• remark42-pr-fix-smtp-newclient
• remove-redundant-frame-ancestors-log
• remove_golangci_conf
• remove_unused_cache
• same-site
• sameip-correction-vote-728
• sanitize-hotfix-1.6
• sanitize-loactor
• security-fixes-2026-04
• security-pr-a-path-traversal
• security-pr-c-matchsiteid
• security-pr-d-tz-tests
• simplify_img_storage
• site
• site_email_notifications
• small-improvements
• switch-to-pnpm
• switch_to_lcw
• termination_fix
• tests/synctest-refactor
• tests_fixes
• tests_golangci_lint
• unsinitize
• upd-backend-deps
• update-comments
• update-docs-1.7
• update-go-version
• update-repeater-v2
• use-packages
• user-comments-empy-200
• user-info
• valid-email-auth
• webhook-notify
• workspaces

Build # 26203935339

Build Type

push

github

Committed by web-flow

Commit Message

fix(security): reject non-image content-types in image proxy and /picture/ to prevent stored XSS (#2067)

* fix(security): reject non-image content-types in image proxy and /picture/ to prevent stored XSS

The /api/v1/img proxy and /api/v1/picture/{user}/{id} endpoints emitted
http.DetectContentType on the served bytes as the response Content-Type. A
controlled upstream serving Content-Type: image/png with an HTML body passed
the upstream check (only the response header was inspected, not the body),
and the body bytes then sniffed back to text/html — so the proxy served the
attacker's HTML from the remark42 origin. Browsers honoured the declared
text/html and executed the response as a document with access to cookies and
CSRF tokens. Affected from v1.6.0 (April 2020) through v1.15.0; verified live
via published docker images.

Layered defense applied to both handlers:

- rest.SafeImgContentType (in backend/app/rest/) validates sniffed content
  against a strict allowlist: image/png, image/jpeg, image/gif, image/webp,
  image/bmp, image/x-icon. Anything else (HTML, XML, SVG, plain text,
  octet-stream, or any future image type the stdlib sniffer may learn) is
  rejected with no body echo. SVG is implicitly excluded — it sniffs as
  text/xml or text/plain, never image/svg+xml, and SVG can execute scripts
  when navigated to top-level. The previous octet-stream → image/* fallback
  is gone.
- Per-endpoint Content-Security-Policy override sets
  "default-src 'none'; sandbox; frame-ancestors 'none'" on every response
  (success, 304, or error). Sandbox neuters scripts even if Content-Type
  ever regresses. The same policy is also applied to all /api/v1/* via
  apiCSPMiddleware as defense-in-depth.
- Content-Disposition: inline; filename="image" frames the response as a
  file rather than a renderable document.
- /picture/ rejection paths set Cache-Control: no-store so 4xx responses
  are never cached.

The defense headers and the strict ETag matcher are ex... (continued)

Coverage Stats

85 of 86 new or added lines in 4 files covered. (98.84%)

2 existing lines in 1 file now uncovered.

6345 of 7504 relevant lines covered (84.55%)

34.7 hits per line