refactor(imageProxy): remove redundant validation and unused code

github-actions[bot] · idoshamun · github-actions[bot] · commit 89d126e0184a · 2026-02-04T10:51:33.000Z
- Remove redundant protocol check in validateImageUrl (already filtered by isExternalImageUrl)
- Remove unused proxyImagesInHtml function and its tests
- Update AGENTS.md with best practices for avoiding dead code and redundant validation

Co-authored-by: Ido Shamun &lt;idoshamun@users.noreply.github.com&gt;
diff --git a/__tests__/common/imageProxy.ts b/__tests__/common/imageProxy.ts
@@ -5,7 +5,6 @@ import {
   validateImageUrl,
   isExternalImageUrl,
   getProxiedImageUrl,
-  proxyImagesInHtml,
 } from '../../src/common/imageProxy';
 
 const configureCloudinary = () => {
@@ -153,24 +152,6 @@ describe('imageProxy', () => {
       expect(validateImageUrl(longUrl)).toBe('URL exceeds maximum length');
     });
 
-    it('should return error for file:// protocol', () => {
-      expect(validateImageUrl('file:///etc/passwd')).toBe(
-        'Only HTTP and HTTPS protocols are allowed',
-      );
-    });
-
-    it('should return error for ftp:// protocol', () => {
-      expect(validateImageUrl('ftp://example.com/image.png')).toBe(
-        'Only HTTP and HTTPS protocols are allowed',
-      );
-    });
-
-    it('should return error for javascript: protocol', () => {
-      expect(validateImageUrl('javascript:alert(1)')).toBe(
-        'Only HTTP and HTTPS protocols are allowed',
-      );
-    });
-
     it('should return error for private IP addresses', () => {
       expect(validateImageUrl('http://127.0.0.1/image.png')).toBe(
         'Private IP addresses are not allowed',
@@ -269,62 +250,4 @@ describe('imageProxy', () => {
       expect(result).toMatch(/s--[A-Za-z0-9_-]+--/);
     });
   });
-
-  describe('proxyImagesInHtml', () => {
-    beforeEach(() => {
-      process.env.CLOUDINARY_URL = 'cloudinary://test:test@daily-now';
-      configureCloudinary();
-    });
-
-    it('should return empty string for empty input', () => {
-      expect(proxyImagesInHtml('')).toBe('');
-    });
-
-    it('should return null for null input', () => {
-      expect(proxyImagesInHtml(null as unknown as string)).toBe(null);
-    });
-
-    it('should proxy external image URLs in img tags', () => {
-      const html = '<p>Hello</p><img src="https://example.com/image.png">';
-      const result = proxyImagesInHtml(html);
-
-      expect(result).toContain('media.daily.dev');
-      expect(result).toContain('/image/fetch/');
-      // The original URL is included in the Cloudinary fetch URL path (this is expected)
-      expect(result).toContain('src="https://media.daily.dev');
-    });
-
-    it('should not modify images from allowed domains', () => {
-      const html = '<img src="https://media.daily.dev/image.png">';
-      const result = proxyImagesInHtml(html);
-
-      expect(result).toBe(html);
-    });
-
-    it('should handle multiple images', () => {
-      const html =
-        '<img src="https://example.com/1.png"><img src="https://evil.com/2.gif">';
-      const result = proxyImagesInHtml(html);
-
-      // Both images should be proxied through Cloudinary
-      expect(result.match(/media\.daily\.dev/g)?.length).toBe(2);
-      expect(result).toContain('/image/fetch/');
-    });
-
-    it('should preserve other attributes on img tags', () => {
-      const html =
-        '<img alt="test" src="https://example.com/image.png" class="photo">';
-      const result = proxyImagesInHtml(html);
-
-      expect(result).toContain('alt="test"');
-      expect(result).toContain('class="photo"');
-    });
-
-    it('should handle img tags with single quotes', () => {
-      const html = "<img src='https://example.com/image.png'>";
-      const result = proxyImagesInHtml(html);
-
-      expect(result).toContain('media.daily.dev');
-    });
-  });
 });
diff --git a/src/common/imageProxy.ts b/src/common/imageProxy.ts
@@ -62,6 +62,9 @@ export function isAllowedDomain(url: string): boolean {
 /**
  * Validates that a URL is safe to proxy
  * Returns an error message if invalid, or null if valid
+ *
+ * Note: This assumes the URL is already http/https since it's called after
+ * isExternalImageUrl check which filters out non-http/https URLs.
  */
 export function validateImageUrl(url: string): string | null {
   // Check URL length
@@ -72,11 +75,6 @@ export function validateImageUrl(url: string): string | null {
   try {
     const parsedUrl = new URL(url);
 
-    // Only allow http and https protocols
-    if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') {
-      return 'Only HTTP and HTTPS protocols are allowed';
-    }
-
     // Block private/internal IP addresses (SSRF prevention)
     if (isPrivateIP(parsedUrl.hostname)) {
       return 'Private IP addresses are not allowed';
@@ -161,28 +159,3 @@ export function getProxiedImageUrl(externalUrl: string): string | null {
     return externalUrl;
   }
 }
-
-/**
- * Processes HTML content to proxy all external image URLs
- * This is used as a fallback for content that wasn't processed during markdown rendering
- *
- * @param html The HTML content containing images
- * @returns The HTML with external image URLs replaced with proxied URLs
- */
-export function proxyImagesInHtml(html: string): string {
-  if (!html) {
-    return html;
-  }
-
-  // Match img tags and replace src attributes
-  return html.replace(
-    /<img\s+([^>]*?)src=["']([^"']+)["']([^>]*)>/gi,
-    (match, before, src, after) => {
-      const proxiedUrl = getProxiedImageUrl(src);
-      if (proxiedUrl && proxiedUrl !== src) {
-        return `<img ${before}src="${proxiedUrl}"${after}>`;
-      }
-      return match;
-    },
-  );
-}
