Handle extensionless image URLs in downloadImage safely

dahlia · codex · dahlia · commit 7a05536d91b0 · 2026-03-08T20:13:58.000+09:00
Use the last path segment to derive an extension and fall back to jpg for extensionless single-segment paths like /image. Keep rejecting unsafe or ambiguous paths by bailing out when no valid extension can be derived. This keeps the path-traversal safeguard intact while allowing the extensionless URL shape called out in review. #608 (comment) Co-Authored-By: Codex <codex@openai.com>
diff --git a/packages/cli/src/imagerenderer.test.ts b/packages/cli/src/imagerenderer.test.ts
@@ -189,3 +189,22 @@ test("downloadImage - rejects unsafe extension containing path traversal", async
     globalThis.fetch = originalFetch;
   }
 });
+
+test("downloadImage - falls back to jpg when URL has no extension", async () => {
+  const originalFetch = globalThis.fetch;
+  globalThis.fetch =
+    ((_input: URL | RequestInfo) =>
+      Promise.resolve(new Response(new Uint8Array([1, 2, 3])))) as typeof fetch;
+
+  let result: string | null = null;
+  try {
+    result = await downloadImage("https://198.51.100.10/image");
+    assert.notEqual(result, null);
+    assert.equal(path.extname(result!), ".jpg");
+  } finally {
+    globalThis.fetch = originalFetch;
+    if (result != null) {
+      await rm(path.dirname(result), { recursive: true, force: true });
+    }
+  }
+});
diff --git a/packages/cli/src/imagerenderer.ts b/packages/cli/src/imagerenderer.ts
@@ -131,7 +131,17 @@ export async function downloadImage(url: string): Promise<string | null> {
       return null;
     }
     const imageData = new Uint8Array(await response.arrayBuffer());
-    const extension = new URL(targetUrl).pathname.split(".").pop() || "jpg";
+    const pathname = new URL(targetUrl).pathname;
+    const pathSegments = pathname.split("/").filter((segment) =>
+      segment !== ""
+    );
+    const filename = pathSegments[pathSegments.length - 1] ?? "";
+    const extension = filename.includes(".")
+      ? path.extname(filename).slice(1)
+      : pathSegments.length === 1
+      ? "jpg"
+      : "";
+    if (extension.length < 1) return null;
     if (
       extension.includes("/") || extension.includes("\\") ||
       extension.includes("..")
