feat(next/image)!: add images.maximumResponseBody config (#88183)

Add `images.maximumResponseBody` configuration to exit early when
attempting to optimize large source images.

Author: styfle

crates/next-build-test/nextConfig.json

@@ -30,6 +30,7 @@
     "disableStaticImages": false,
     "minimumCacheTTL": 60,
     "formats": ["image/avif", "image/webp"],
+    "maximumResponseBody": 300000000,
     "dangerouslyAllowSVG": false,
     "contentSecurityPolicy": "script-src 'none'; frame-src 'none'; sandbox;",
     "contentDispositionType": "inline",

docs/01-app/03-api-reference/02-components/image.mdx

@@ -774,6 +774,28 @@ module.exports = {
 }
 ```
 
+#### `maximumResponseBody`
+
+The default image optimization loader will fetch source images up to 300 MB in size.
+
+```js filename="next.config.js"
+module.exports = {
+  images: {
+    maximumResponseBody: 300_000_000,
+  },
+}
+```
+
+If you know all your source images are small, you can protect memory constrained servers by reducing this to a smaller value such as 50 MB.
+
+```js filename="next.config.js"
+module.exports = {
+  images: {
+    maximumResponseBody: 50_000_000,
+  },
+}
+```
+
 #### `dangerouslyAllowSVG`
 
 `dangerouslyAllowSVG` allows you to serve SVG images.

packages/next/src/server/config-schema.ts

@@ -654,6 +654,12 @@ export const configSchema: zod.ZodType<NextConfig> = z.lazy(() =>
           .optional(),
         loader: z.enum(VALID_LOADERS).optional(),
         loaderFile: z.string().optional(),
+        maximumResponseBody: z
+          .number()
+          .int()
+          .min(1)
+          .max(Number.MAX_SAFE_INTEGER)
+          .optional(),
         minimumCacheTTL: z.number().int().gte(0).optional(),
         path: z.string().optional(),
         qualities: z

packages/next/src/server/image-optimizer.ts

@@ -694,7 +694,10 @@ export async function optimizeImage({
   return optimizedBuffer
 }
 
-export async function fetchExternalImage(href: string): Promise<ImageUpstream> {
+export async function fetchExternalImage(
+  href: string,
+  maximumResponseBody: number
+): Promise<ImageUpstream> {
   const res = await fetch(href, {
     signal: AbortSignal.timeout(7_000),
   }).catch((err) => err as Error)
@@ -719,7 +722,35 @@ export async function fetchExternalImage(href: string): Promise<ImageUpstream> {
     )
   }
 
-  const buffer = Buffer.from(await res.arrayBuffer())
+  if (!res.body) {
+    Log.error('upstream image response is empty for', href)
+    throw new ImageError(
+      400,
+      '"url" parameter is valid but upstream response is invalid'
+    )
+  }
+
+  const chunks: Buffer[] = []
+  let totalSize = 0
+
+  for await (const c of res.body) {
+    const chunk = Buffer.from(c)
+    totalSize += chunk.byteLength
+    if (totalSize > maximumResponseBody) {
+      Log.error(
+        'upstream image response exceeded maximum size for',
+        href,
+        totalSize
+      )
+      throw new ImageError(
+        413,
+        '"url" parameter is valid but upstream response is invalid'
+      )
+    }
+    chunks.push(chunk)
+  }
+
+  const buffer = Buffer.concat(chunks)
   const contentType = res.headers.get('Content-Type')
   const cacheControl = res.headers.get('Cache-Control')
   const etag = extractEtag(res.headers.get('ETag'), buffer)

packages/next/src/server/next-server.ts

@@ -786,7 +786,10 @@ export default class NextNodeServer extends BaseServer<
       const { isAbsolute, href } = paramsResult
 
       const imageUpstream = isAbsolute
-        ? await fetchExternalImage(href)
+        ? await fetchExternalImage(
+            href,
+            this.nextConfig.images.maximumResponseBody
+          )
         : await fetchInternalImage(
             href,
             req.originalRequest,

packages/next/src/shared/lib/image-config.ts

@@ -103,6 +103,9 @@ export type ImageConfigComplete = {
   /** @see [Acceptable formats](https://nextjs.org/docs/api-reference/next/image#acceptable-formats) */
   formats: ImageFormat[]
 
+  /** @see [Maximum Response Body](https://nextjs.org/docs/api-reference/next/image#maximumresponsebody) */
+  maximumResponseBody: number
+
   /** @see [Dangerously Allow SVG](https://nextjs.org/docs/api-reference/next/image#dangerously-allow-svg) */
   dangerouslyAllowSVG: boolean
 
@@ -137,6 +140,7 @@ export const imageConfigDefault: ImageConfigComplete = {
   disableStaticImages: false,
   minimumCacheTTL: 60,
   formats: ['image/webp'],
+  maximumResponseBody: 300_000_000, // 300MB
   dangerouslyAllowSVG: false,
   contentSecurityPolicy: `script-src 'none'; frame-src 'none'; sandbox;`,
   contentDispositionType: 'attachment',

test/integration/next-image-new/app-dir-localpatterns/test/index.test.ts

@@ -96,6 +96,7 @@ function runTests(mode: 'dev' | 'server') {
               search: '',
             },
           ],
+          maximumResponseBody: 300000000,
           minimumCacheTTL: 60,
           path: '/_next/image',
           qualities: undefined,

test/integration/next-image-new/app-dir-qualities/test/index.test.ts

@@ -107,6 +107,7 @@ function runTests(mode: 'dev' | 'server') {
           loaderFile: '',
           remotePatterns: [],
           localPatterns: undefined,
+          maximumResponseBody: 300000000,
           minimumCacheTTL: 60,
           path: '/_next/image',
           qualities: [42, 69, 88],

test/integration/next-image-new/app-dir/test/index.test.ts

@@ -1634,6 +1634,7 @@ function runTests(mode: 'dev' | 'server') {
           loaderFile: '',
           remotePatterns: [],
           localPatterns: undefined,
+          maximumResponseBody: 300000000,
           minimumCacheTTL: 60,
           path: '/_next/image',
           qualities: undefined,

test/integration/next-image-new/unicode/test/index.test.ts

@@ -94,6 +94,7 @@ function runTests(mode: 'server' | 'dev') {
               search: '',
             },
           ],
+          maximumResponseBody: 300000000,
           minimumCacheTTL: 60,
           path: '/_next/image',
           sizes: [