From 28fc89448fae2e77cf1c2077b354d4f5501c7b57 Mon Sep 17 00:00:00 2001
From: Steven <steven@ceriously.com>
Date: Thu, 4 Jul 2024 15:55:32 -0400
Subject: [PATCH] fix(next/image): handle invalid url (#67465)

---
 packages/next/src/server/image-optimizer.ts   | 6 ++++++
 test/integration/image-optimizer/test/util.ts | 7 +++++++
 2 files changed, 13 insertions(+)

diff --git a/packages/next/src/server/image-optimizer.ts b/packages/next/src/server/image-optimizer.ts
index 8f28117e93..4dfd153e84 100644
--- a/packages/next/src/server/image-optimizer.ts
+++ b/packages/next/src/server/image-optimizer.ts
@@ -213,6 +213,12 @@ export class ImageOptimizerCache {
       }
     }
 
+    if (url.startsWith('/_next/image')) {
+      return {
+        errorMessage: '"url" parameter cannot be recursive',
+      }
+    }
+
     let isAbsolute: boolean
 
     if (url.startsWith('/')) {
diff --git a/test/integration/image-optimizer/test/util.ts b/test/integration/image-optimizer/test/util.ts
index 13ced1f674..bf2a25e086 100644
--- a/test/integration/image-optimizer/test/util.ts
+++ b/test/integration/image-optimizer/test/util.ts
@@ -1021,6 +1021,13 @@ export function runTests(ctx: RunTestsCtx) {
     )
   })
 
+  it('should fail when url is recursive', async () => {
+    const query = { url: `/_next/image?url=test.pngw=1&q=1`, w: ctx.w, q: 1 }
+    const res = await fetchViaHTTP(ctx.appPort, '/_next/image', query, {})
+    expect(res.status).toBe(400)
+    expect(await res.text()).toBe(`"url" parameter cannot be recursive`)
+  })
+
   it('should fail when internal url is not an image', async () => {
     const url = `/api/no-header`
     const query = { url, w: ctx.w, q: 39 }