feat(proxy-favicon): disallow SVG favicons and add unit tests for handling

aguvener · aguvener · commit 5976728b6688 · 2025-09-16T16:34:34.000+03:00
diff --git a/__tests__/proxyFavicon.test.ts b/__tests__/proxyFavicon.test.ts
@@ -0,0 +1,48 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { onRequestGet, Env } from '../functions/api/proxy-favicon';
+
+describe('proxy-favicon handler', () => {
+  const originalFetch = global.fetch;
+  let fetchMock: ReturnType<typeof vi.fn>;
+
+  beforeEach(() => {
+    fetchMock = vi.fn();
+    global.fetch = fetchMock as unknown as typeof global.fetch;
+  });
+
+  afterEach(() => {
+    global.fetch = originalFetch;
+    vi.restoreAllMocks();
+  });
+
+  it('streams through raster favicons unchanged', async () => {
+    fetchMock.mockResolvedValueOnce(new Response('png-data', {
+      status: 200,
+      headers: { 'content-type': 'image/png' },
+    }));
+
+    const request = new Request('https://example.com/api/proxy-favicon?url=https://remote.test/favicon.png');
+    const response = await onRequestGet({ request, env: {} as Env });
+
+    expect(fetchMock).toHaveBeenCalledOnce();
+    expect(response.status).toBe(200);
+    expect(response.headers.get('content-type')).toBe('image/png');
+    expect(await response.text()).toBe('png-data');
+  });
+
+  it('rejects SVG favicons with UNSUPPORTED_TYPE', async () => {
+    fetchMock.mockResolvedValueOnce(new Response('<svg></svg>', {
+      status: 200,
+      headers: { 'content-type': 'image/svg+xml' },
+    }));
+
+    const request = new Request('https://example.com/api/proxy-favicon?url=https://remote.test/favicon.svg');
+    const response = await onRequestGet({ request, env: {} as Env });
+
+    expect(fetchMock).toHaveBeenCalledOnce();
+    expect(response.status).toBe(415);
+    expect(response.headers.get('x-error-code')).toBe('UNSUPPORTED_TYPE');
+    const body = await response.json();
+    expect(body).toMatchObject({ error: true, code: 'UNSUPPORTED_TYPE' });
+  });
+});
diff --git a/backlog/tasks/task-16 - Disallow-SVG-favicons-in-proxy.md b/backlog/tasks/task-16 - Disallow-SVG-favicons-in-proxy.md
@@ -1,10 +1,11 @@
 ---
 id: task-16
 title: Disallow SVG favicons in proxy
-status: To Do
-assignee: []
+status: Done
+assignee:
+  - '@assistant'
 created_date: '2025-09-16 12:10'
-updated_date: '2025-09-16 12:16'
+updated_date: '2025-09-16 13:08'
 labels:
   - security
 dependencies: []
@@ -17,7 +18,23 @@ Tighten the favicon proxy to reject image/svg+xml responses.
 
 ## Acceptance Criteria
 <!-- AC:BEGIN -->
-- [ ] #1 Remove image/svg+xml from the allowed content types.
-- [ ] #2 Return 415 with UNSUPPORTED_TYPE when an SVG favicon is requested.
-- [ ] #3 Existing raster favicon handling remains unchanged.
+- [x] #1 Remove image/svg+xml from the allowed content types.
+- [x] #2 Return 415 with UNSUPPORTED_TYPE when an SVG favicon is requested.
+- [x] #3 Existing raster favicon handling remains unchanged.
 <!-- AC:END -->
+
+
+## Implementation Plan
+
+1. Remove image/svg+xml from the allowed content types in proxy-favicon.
+2. Add unit tests ensuring SVG responses return 415 with UNSUPPORTED_TYPE.
+3. Add test confirming png/jpeg responses continue to stream successfully.
+4. Run Vitest suite to validate.
+
+
+## Implementation Notes
+
+Implementation:
+- Removed image/svg+xml from ALLOWED_CONTENT_TYPES so SVG favicons return UNSUPPORTED_TYPE 415.
+- Added proxyFavicon vitest coverage for raster passthrough and SVG rejection.
+- Ran pnpm test.
diff --git a/backlog/tasks/task-2 - Audit-external-assets-for-SRI-and-CSP-alignment.md b/backlog/tasks/task-2 - Audit-external-assets-for-SRI-and-CSP-alignment.md
@@ -4,7 +4,7 @@ title: Audit external assets for SRI and CSP alignment
 status: To Do
 assignee: []
 created_date: '2025-09-16 12:09'
-updated_date: '2025-09-16 12:15'
+updated_date: '2025-09-16 13:03'
 labels:
   - security
 dependencies: []
diff --git a/functions/api/proxy-favicon.ts b/functions/api/proxy-favicon.ts
@@ -13,7 +13,6 @@ const ALLOWED_CONTENT_TYPES = new Set([
   'image/gif',
   'image/jpeg',
   'image/webp',
-  'image/svg+xml',
 ]);
 
 function badRequest(message: string) {
@@ -70,4 +69,3 @@ export const onRequestGet = async (context: { request: Request; env: Env }) => {
 
   return new Response(resp.body, { status: 200, headers: outHeaders });
 };
-
