fix(plugins): rewrite relative README image URLs to source-host raw URLs

clawsweeper[bot] · clawsweeper[bot] · commit d84dacc4c081 · 2026-06-02T10:26:00.000Z
diff --git a/src/lib/rehypeProxyImages.test.ts b/src/lib/rehypeProxyImages.test.ts
@@ -30,6 +30,26 @@ function rewriteImgSrc(src: string, assetBaseUrl?: string) {
 }
 
 describe("rehypeProxyImages", () => {
+  it("allows relative README assets to reference parent folders inside the same commit tree", () => {
+    expect(
+      rewriteImgSrc(
+        "../shared/logo.png",
+        "https://raw.githubusercontent.com/owner/repo/abcdef/sub/",
+      ),
+    ).toBe(
+      "/_vercel/image?url=https%3A%2F%2Fraw.githubusercontent.com%2Fowner%2Frepo%2Fabcdef%2Fshared%2Flogo.png&w=1024&q=75",
+    );
+  });
+
+  it("does not rewrite relative README assets that escape above the commit root", () => {
+    expect(
+      rewriteImgSrc(
+        "../../../outside.png",
+        "https://raw.githubusercontent.com/owner/repo/abcdef/sub/dir/",
+      ),
+    ).toBe("../../../outside.png");
+  });
+
   it("does not treat explicit non-http schemes as relative README assets", () => {
     expect(
       rewriteImgSrc("javascript:alert(1)", "https://raw.githubusercontent.com/owner/repo/abcdef/"),
diff --git a/src/lib/rehypeProxyImages.ts b/src/lib/rehypeProxyImages.ts
@@ -26,6 +26,20 @@ const ABSOLUTE_HTTP = /^https?:\/\//i;
 const EXPLICIT_SCHEME = /^[a-z][a-z0-9+\-.]*:/i;
 const PROTOCOL_RELATIVE = /^\/\//;
 
+function getRawGitHubCommitRoot(assetBaseUrl: string): URL | null {
+  try {
+    const baseUrl = new URL(assetBaseUrl);
+    if (baseUrl.protocol !== "https:" || baseUrl.hostname !== "raw.githubusercontent.com") {
+      return null;
+    }
+    const [owner, repo, commit] = baseUrl.pathname.split("/").filter(Boolean);
+    if (!owner || !repo || !commit) return null;
+    return new URL(`/${owner}/${repo}/${commit}/`, baseUrl.origin);
+  } catch {
+    return null;
+  }
+}
+
 function resolveRelativeSrc(src: string, assetBaseUrl: string | undefined): string | null {
   if (!assetBaseUrl) return null;
   if (!src) return null;
@@ -38,7 +52,12 @@ function resolveRelativeSrc(src: string, assetBaseUrl: string | undefined): stri
   // pulling random repo-root files.
   if (src.startsWith("/")) return null;
   try {
-    return new URL(src, assetBaseUrl).toString();
+    const resolved = new URL(src, assetBaseUrl);
+    const commitRoot = getRawGitHubCommitRoot(assetBaseUrl);
+    if (!commitRoot) return null;
+    if (resolved.origin !== commitRoot.origin) return null;
+    if (!resolved.pathname.startsWith(commitRoot.pathname)) return null;
+    return resolved.toString();
   } catch {
     return null;
   }
