Update NextJS version (#533)

Update NextJS version to `15.5.3` and `@sentry/nextjs` to `10.11.0`

Author: AlexJSully

cypress/e2e/security/image.cy.ts

@@ -0,0 +1,40 @@
+describe('Image Security Tests', () => {
+	beforeEach(() => {
+		cy.visit('http://localhost:3000');
+	});
+
+	afterEach(() => {
+		cy.a11yCheck();
+	});
+
+	it('should only allow configured remote image domains', () => {
+		// Based on your next.config.js, only alexjsully.me should be allowed
+		const disallowedDomain = 'https://random-external-site.com/image.jpg';
+
+		cy.request({
+			url: `/_next/image?url=${encodeURIComponent(disallowedDomain)}&w=640&q=75`,
+			failOnStatusCode: false,
+		}).then((response) => {
+			// Should return error status, not serve the image
+			expect(response.status).to.not.equal(200);
+		});
+	});
+
+	it('should prevent file download attacks through image optimization', () => {
+		// Test that image optimization doesn't allow arbitrary file downloads
+		const maliciousParams = ['../../../../etc/passwd', 'file:///etc/hosts'];
+
+		maliciousParams.forEach((param) => {
+			cy.request({
+				url: `/_next/image?url=${encodeURIComponent(param)}&w=640&q=75`,
+				failOnStatusCode: false,
+			}).then((response) => {
+				// Should return error status, not serve files
+				expect(response.status).to.not.equal(200);
+				const contentType = response.headers['content-type'] || '';
+				expect(contentType).to.not.include('text/plain');
+				expect(contentType).to.not.include('application/octet-stream');
+			});
+		});
+	});
+});

cypress/e2e/security/middleware.cy.ts

@@ -0,0 +1,99 @@
+describe('Middleware Security Tests', () => {
+	beforeEach(() => {
+		cy.visit('http://localhost:3000');
+	});
+
+	afterEach(() => {
+		cy.a11yCheck();
+	});
+
+	it('should prevent SSRF through middleware headers', () => {
+		// Test that sensitive headers are not reflected back
+		const sensitiveHeaders = {
+			'X-Forwarded-Host': 'evil.com',
+			'X-Forwarded-Proto': 'http',
+			'X-Real-IP': '127.0.0.1',
+			'X-Forwarded-For': '192.168.1.1, evil.com',
+			Host: 'attacker.site',
+		};
+
+		Object.entries(sensitiveHeaders).forEach(([headerName, headerValue]) => {
+			cy.request({
+				url: 'http://localhost:3000',
+				headers: {
+					[headerName]: headerValue,
+				},
+				failOnStatusCode: false,
+			}).then((response) => {
+				// Check that sensitive headers are not reflected in response
+				const responseHeaders = Object.keys(response.headers).map((key) => key.toLowerCase());
+				const responseHeaderValues = Object.values(response.headers).join(' ');
+
+				// Ensure the malicious header value is not reflected back
+				expect(responseHeaderValues).to.not.include(headerValue);
+
+				// Check that response doesn't contain redirect to external domain
+				if (response.status >= 300 && response.status < 400) {
+					const location = response.headers.location;
+					if (location) {
+						expect(location).to.not.include('evil.com');
+						expect(location).to.not.include('attacker.site');
+					}
+				}
+			});
+		});
+	});
+
+	it('should validate redirect destinations in middleware', () => {
+		// Test that redirects don't allow SSRF
+		const maliciousRedirects = [
+			'http://evil.com',
+			'https://attacker.site/steal-data',
+			'ftp://internal-server.local',
+			'file:///etc/passwd',
+			'gopher://localhost:25',
+		];
+
+		maliciousRedirects.forEach((redirectUrl) => {
+			cy.request({
+				url: `http://localhost:3000?redirect=${encodeURIComponent(redirectUrl)}`,
+				followRedirect: false,
+				failOnStatusCode: false,
+			}).then((response) => {
+				if (response.status >= 300 && response.status < 400) {
+					const location = response.headers.location;
+					if (location) {
+						// Should not redirect to external or malicious URLs
+						expect(location).to.not.include('evil.com');
+						expect(location).to.not.include('attacker.site');
+						expect(location).to.not.match(/^(ftp|file|gopher):/);
+
+						// Should only redirect to same origin or relative paths
+						if (typeof location === 'string' && location.startsWith('http')) {
+							expect(location).to.match(/^https?:\/\/localhost(:\d+)?/);
+						}
+					}
+				}
+			});
+		});
+	});
+
+	it('should sanitize request headers in middleware processing', () => {
+		// Test that middleware doesn't process dangerous header combinations
+		cy.request({
+			url: 'http://localhost:3000',
+			headers: {
+				'X-Forwarded-Host': 'evil.com',
+				'X-Forwarded-Proto': 'javascript',
+				'X-Original-URL': '/admin/secret',
+				'X-Rewrite-URL': '/../../etc/passwd',
+			},
+			failOnStatusCode: false,
+		}).then((response) => {
+			// Verify response doesn't expose internal paths or dangerous content
+			expect(response.body).to.not.include('/etc/passwd');
+			expect(response.body).to.not.include('/admin/secret');
+			expect(response.status).to.not.equal(500); // Should handle gracefully
+		});
+	});
+});

cypress/e2e/security.cy.ts cypress/e2e/security/security.cy.tscypress/e2e/security.cy.ts renamed to cypress/e2e/security/security.cy.ts

@@ -1,4 +1,4 @@
-describe('Security Tests', () => {
+describe('General Security Tests', () => {
 	beforeEach(() => {
 		cy.visit('http://localhost:3000');
 	});