update metadata to only allow png images (#63)

* update metadata to only allow png images * update comment * addressed comments
Layr-Labs · Oct 31, 2023 · c396a15 · c396a15
1 parent 23a0dfd
commit c396a15
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/types/operator_metadata.go b/types/operator_metadata.go
@@ -111,7 +111,10 @@ func isImageURL(urlString string) bool {
 	extension := filepath.Ext(path)
 
 	// List of common image file extensions
-	imageExtensions := []string{".jpg", ".jpeg", ".png", ".gif", ".bmp", ".svg", ".webp"}
+	// Only support PNG for now to reduce surface area of image validation
+	// We do NOT want to support formats like SVG since they can be used for javascript injection
+	// If we get pushback on only supporting png, we can support jpg, jpeg, gif, etc. later
+	imageExtensions := []string{".png"}
 
 	// Check if the extension is in the list of image extensions
 	for _, imgExt := range imageExtensions {

diff --git a/types/operator_metadata_test.go b/types/operator_metadata_test.go
@@ -41,6 +41,17 @@ func TestOperatorMetadata(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "Invalid metadata - wrong image format",
+			metadata: OperatorMetadata{
+				Name:        "test",
+				Description: "My operator",
+				Logo:        "https://test.com/test.svg",
+				Twitter:     "https://twitter.com/test",
+				Website:     "https://test.com",
+			},
+			wantErr: true,
+		},
 		{
 			name: "Invalid metadata - description > 500 characters",
 			metadata: OperatorMetadata{