Add nextjs-images-wildcard-hostname security rule

mortezapiri · mortezapiri · commit 8602a824a510 · 2025-09-28T22:55:12.000+03:30
- Detects overly permissive wildcard hostnames in Next.js images.remotePatterns
- Prevents image injection attacks and potential SSRF vulnerabilities
- Includes comprehensive test cases with positive and negative examples
- Follows security metadata standards (CWE-200, OWASP A05:2021)
- Targets javascript and typescript languages

Fixes: Security misconfiguration in Next.js image configuration
Category: security
Technology: nextjs
diff --git a/javascript/nextjs/security/nextjs-images-wildcard-hostname.js b/javascript/nextjs/security/nextjs-images-wildcard-hostname.js
@@ -0,0 +1,130 @@
+// Test cases for nextjs-images-wildcard-hostname rule
+
+// BAD: Using wildcard hostname - should trigger the rule
+const badConfig1 = {
+  images: {
+    remotePatterns: [
+      {
+        protocol: 'https',
+        hostname: '**', // ERROR: Wildcard hostname
+        port: '',
+        pathname: '/account123/**',
+      },
+    ],
+  },
+};
+
+// BAD: Another wildcard hostname pattern - should trigger the rule
+const badConfig2 = {
+  images: {
+    remotePatterns: [
+      {
+        hostname: '**', // ERROR: Wildcard hostname
+      },
+    ],
+  },
+};
+
+// BAD: Wildcard in nested structure - should trigger the rule
+const badConfig3 = {
+  images: {
+    remotePatterns: [
+      {
+        protocol: 'https',
+        hostname: '**', // ERROR: Wildcard hostname
+        port: '8080',
+        pathname: '/images/**',
+      },
+    ],
+  },
+};
+
+// GOOD: Specific domain - should not trigger the rule
+const goodConfig1 = {
+  images: {
+    remotePatterns: [
+      {
+        protocol: 'https',
+        hostname: 'example.com', // OK: Specific domain
+        port: '',
+        pathname: '/account123/**',
+      },
+    ],
+  },
+};
+
+// GOOD: Multiple specific domains - should not trigger the rule
+const goodConfig2 = {
+  images: {
+    remotePatterns: [
+      {
+        protocol: 'https',
+        hostname: 'cdn.example.com', // OK: Specific subdomain
+        port: '',
+        pathname: '/images/**',
+      },
+      {
+        protocol: 'https',
+        hostname: 'assets.example.com', // OK: Another specific subdomain
+        port: '',
+        pathname: '/public/**',
+      },
+    ],
+  },
+};
+
+// GOOD: Using subdomain wildcard (more restrictive) - should not trigger the rule
+const goodConfig3 = {
+  images: {
+    remotePatterns: [
+      {
+        protocol: 'https',
+        hostname: '*.example.com', // OK: Subdomain wildcard (more restrictive)
+        port: '',
+        pathname: '/images/**',
+      },
+    ],
+  },
+};
+
+// GOOD: Localhost and specific IP - should not trigger the rule
+const goodConfig4 = {
+  images: {
+    remotePatterns: [
+      {
+        protocol: 'http',
+        hostname: 'localhost', // OK: Localhost
+        port: '3000',
+        pathname: '/uploads/**',
+      },
+      {
+        protocol: 'https',
+        hostname: '192.168.1.100', // OK: Specific IP
+        port: '',
+        pathname: '/media/**',
+      },
+    ],
+  },
+};
+
+// GOOD: Empty remotePatterns - should not trigger the rule
+const goodConfig5 = {
+  images: {
+    remotePatterns: [], // OK: Empty array
+  },
+};
+
+// GOOD: No images config - should not trigger the rule
+const goodConfig6 = {
+  // No images configuration
+  experimental: {
+    appDir: true,
+  },
+};
+
+// GOOD: Images config without remotePatterns - should not trigger the rule
+const goodConfig7 = {
+  images: {
+    domains: ['example.com'], // OK: Using domains instead of remotePatterns
+  },
+};
diff --git a/javascript/nextjs/security/nextjs-images-wildcard-hostname.yaml b/javascript/nextjs/security/nextjs-images-wildcard-hostname.yaml
@@ -0,0 +1,40 @@
+rules:
+  - id: nextjs-images-wildcard-hostname
+    message: >-
+      Avoid using '**' for images.remotePatterns.hostname (overly permissive, security risk).
+      Using wildcard hostnames allows loading images from any domain, which can lead to:
+      - Image injection attacks
+      - Data exfiltration through image requests
+      - Potential SSRF vulnerabilities
+      Instead, specify exact domains or use more restrictive patterns.
+    languages:
+      - javascript
+      - typescript
+    severity: ERROR
+    patterns:
+      - pattern: |
+          {
+            hostname: "**"
+          }
+      - pattern-inside: |
+          images: {
+            remotePatterns: [
+              ...
+            ]
+          }
+    metadata:
+      category: security
+      technology:
+        - nextjs
+      subcategory:
+        - vuln
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: MEDIUM
+      cwe:
+        - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      owasp:
+        - A05:2021 - Security Misconfiguration
+      references:
+        - https://nextjs.org/docs/app/api-reference/next-config-js/images#remotepatterns
+        - https://nextjs.org/docs/pages/api-reference/next-config-js/images#remotepatterns
