fix(feed): anchor unwrapDoubledUrl to the host boundary

NiallJoeMaher · claude · NiallJoeMaher · commit cd2679d40e5d · 2026-06-14T09:04:28.000+01:00
Code review caught that the naive lastIndexOf scan would truncate a URL
whose path legitimately contains http://https:// deeper down (path-based
image proxies, or a slug literally containing a scheme). Match only an
absolute URL sitting immediately after the host — the exact shape of the
upstream doubled-origin bug — and leave everything else untouched.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.claude/scheduled_tasks.lock b/.claude/scheduled_tasks.lock
diff --git a/utils/url.test.ts b/utils/url.test.ts
@@ -29,6 +29,15 @@ describe("unwrapDoubledUrl", () => {
     ).toBe("https://img.proxy/optimize?url=https://cdn.site/x.png");
   });
 
+  it("leaves a scheme that appears deeper in the path untouched", () => {
+    // A slug or nested path segment that contains `http://` is NOT a doubled
+    // origin — only a scheme immediately after the host counts.
+    const slug = "https://blog.com/2021/http-vs-https/cover.png";
+    expect(unwrapDoubledUrl(slug)).toBe(slug);
+    const nested = "https://cdn.site.com/a/https://b/x.png";
+    expect(unwrapDoubledUrl(nested)).toBe(nested);
+  });
+
   it("passes through null/empty", () => {
     expect(unwrapDoubledUrl(null)).toBeNull();
     expect(unwrapDoubledUrl(undefined)).toBeNull();
diff --git a/utils/url.ts b/utils/url.ts
@@ -29,22 +29,24 @@ export function safeExternalHref(
   return parsed.protocol === "https:" ? url.trim() : undefined;
 }
 
+// `https://host[:port]/<absolute-url>` — an upstream feed prefixed its own
+// origin onto an already-absolute URL. Anchored so the embedded scheme must sit
+// immediately after the host's first slash: this is the precise shape of the
+// bug and avoids mangling a scheme that legitimately appears deeper in the path
+// (path-based image proxies, a slug containing `http://`) or in a query string.
+const DOUBLED_ORIGIN = /^https?:\/\/[^/]+\/(https?:\/\/.+)$/i;
+
 /**
  * Unwraps a URL that an upstream feed prefixed with its own origin, leaving an
  * already-absolute URL doubled up — e.g. HackerNoon's `media:thumbnail` serves
- * `https://hackernoon.com/https://cdn.hackernoon.com/x.png`, which 404s. We
- * slice from the LAST embedded scheme so the inner, real URL wins. A normal URL
- * (only scheme at index 0) and a `?url=https://...` proxy param are left intact.
+ * `https://hackernoon.com/https://cdn.hackernoon.com/x.png`, which 404s. Returns
+ * the inner URL; a normal URL is returned unchanged.
  */
 export function unwrapDoubledUrl(
   url: string | null | undefined,
 ): string | null {
   if (!url) return null;
-  // Ignore a scheme that appears inside the query string — only unwrap when the
-  // embedded scheme sits in the path (before any `?`).
-  const path = url.split("?")[0];
-  const i = Math.max(path.lastIndexOf("http://"), path.lastIndexOf("https://"));
-  return i > 0 ? url.slice(i) : url;
+  return DOUBLED_ORIGIN.exec(url)?.[1] ?? url;
 }
 
 /** Upgrades an `http://` URL to `https://`. Returns null for empty input. */
