fix: address code review findings

harlan-zw · harlan-zw · commit 2bc764f48cd6 · 2026-03-27T02:20:12.000+11:00
- Remove blocked URL from node.props.src to prevent Satori re-fetching
- Coerce dimensions to Number before clamping (query params arrive as strings)
- Clear setTimeout on successful render to prevent timer leak
diff --git a/src/runtime/server/og-image/context.ts b/src/runtime/server/og-image/context.ts
@@ -143,12 +143,16 @@ export async function resolveContext(e: H3Event): Promise<H3Error | OgImageRende
   const ogImageRouteRules = separateProps(routeRules.ogImage as RouteRulesOgImage)
   const options = defu(queryParams, urlOptions, ogImageRouteRules, runtimeConfig.defaults) as OgImageOptionsInternal
 
-  // Clamp dimensions to prevent DoS via oversized image generation (GHSA-c7xp-q6q8-hg76)
+  // Clamp dimensions to prevent DoS via oversized image generation
   const maxDim = runtimeConfig.security?.maxDimension || 2048
-  if (typeof options.width === 'number')
-    options.width = Math.min(Math.max(1, options.width), maxDim)
-  if (typeof options.height === 'number')
-    options.height = Math.min(Math.max(1, options.height), maxDim)
+  if (options.width != null) {
+    const w = Number(options.width)
+    options.width = Number.isFinite(w) ? Math.min(Math.max(1, w), maxDim) : undefined
+  }
+  if (options.height != null) {
+    const h = Number(options.height)
+    options.height = Number.isFinite(h) ? Math.min(Math.max(1, h), maxDim) : undefined
+  }
 
   // Strip HTML event handlers and dangerous attributes from props (GHSA-mg36-wvcr-m75h)
   if (options.props && typeof options.props === 'object')
diff --git a/src/runtime/server/og-image/core/plugins/imageSrc.ts b/src/runtime/server/og-image/core/plugins/imageSrc.ts
@@ -135,12 +135,13 @@ export default defineTransformer([
       // avoid trying to fetch base64 image uris
       else if (!src.startsWith('data:')) {
         src = decodeHtml(src)
-        node.props.src = src
         // Block private/loopback URLs outside dev to prevent SSRF
         if (!import.meta.dev && isBlockedUrl(src)) {
           logger.warn(`Blocked internal image fetch: ${src}`)
+          delete node.props.src
         }
         else {
+          node.props.src = src
           // fetch remote images and embed as base64 to avoid satori re-fetching at render time
           imageBuffer = (await $fetch(src, {
             responseType: 'arrayBuffer',
diff --git a/src/runtime/server/util/eventHandlers.ts b/src/runtime/server/util/eventHandlers.ts
@@ -122,18 +122,21 @@ export async function imageEventHandler(e: H3Event) {
   if (!image) {
     const { security } = useOgImageRuntimeConfig()
     const timeout = security?.renderTimeout || 15_000
+    let timer: ReturnType<typeof setTimeout> | undefined
     image = await Promise.race([
       renderer.createImage(ctx),
-      new Promise<never>((_, reject) =>
-        setTimeout(() => reject(new Error(`OG image render timed out after ${timeout}ms`)), timeout),
-      ),
+      new Promise<never>((_, reject) => {
+        timer = setTimeout(() => reject(new Error(`OG image render timed out after ${timeout}ms`)), timeout)
+      }),
     ]).catch((err: any) => {
       if (err?.message?.includes('timed out')) {
         logger.error(`renderer.createImage timeout for ${e.path}`)
         return createError({ statusCode: 408, statusMessage: `[Nuxt OG Image] Render timed out.` })
       }
       logger.error(`renderer.createImage error for ${e.path}:`, err?.stack || err?.message || err)
       throw err
+    }).finally(() => {
+      clearTimeout(timer)
     })
     if (image instanceof H3Error)
       return image
