Rewrite image urls to exclude unwanted params

[pookmish]

READY FOR REVIEW/NOT READY

• (Edit the above to reflect status)

Summary

• TL;DR - what's this PR for?

Review By (Date)

• When does this need to be reviewed by?

Urgency

• How critical is this PR?

Steps to Test

1. Do this
2. Then this
3. Then this

Affected Projects or Products

• Does this PR impact any particular projects, products, or modules?

Associated Issues and/or People

• JIRA ticket
• Other PRs
• Any other contextual information that might be helpful (e.g., description of a bug that this PR fixes, new functionality that it adds, etc.)
• Anyone who should be notified? (@mention them here)

See Also

• PR Checklist

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
su-library	✅ Ready (Inspect)	Visit Preview	Nov 7, 2023 3:16am

[sherakama]

Looks smart.

Any exotic files like (webp, SVG)?

Is itok always the first parameter after the ??

[pookmish]

no webp, or svg uploads are allowed.
It should always be the first parameter if the data comes from Drupal.. i guess this probably wouldn't help it if bots remove the itok param

[pookmish]

I added some logic to also check for image urls without the itok param. It'll return a default image as a fallback.
A few scenarios:

• https://domain.edu/_next/image?url=https://google..... -> this will automatically be blocked due to the images.domains settings only allowing configured domains.
• https://domain.edu/_next/image?url=https://drupal/path/to/image.jpg -> this will go to the no-image since drupal will block it anyways without the itok param
• https://domain.edu/_next/image?url=https://drupal/path/to/image.jpg?itok=abc-12_3-> this will not be changed.
• https://domain.edu/_next/image?url=https://drupal/path/to/image.jpg?foo=bar&itok=abc-12_3 -> this will go to no-image since it's likely malicious.
• https://domain.edu/_next/image?url=https://drupal/path/to/image.jpg?itok=abc-12_3&foo=bar... -> this will rewrite to https://domain.edu/_next/image?url=https://drupal/path/to/image.jpg?itok=abc-12_3. This doesn't block bots, but it should reduce the variety of unique images being derived.

Can you think of any other scenarios?

[sherakama]

I think that should cover it. In a nutshell, you're looking for a valid-looking URL with only the parameters you want and everything else gets sent to the no-image file, which will be cached after the first time it's hit. Bots could still troll valid image paths and their derivatives but that is a different issue than cache-busting URLs.