fix(api): implement defensive input sanitation for profile images #2095

[shambhushekharsinha-engg]

Description

Fixes #2095

Hi @JhaSourav07, this PR resolves issue #2095 by implementing strict defensive sanitation for profile images and input handling within the API routes.

Closes #2095

Thank you!

Pillar
[ ] 🎨 Pillar 1 — New Theme Design
[ ] 📐 Pillar 2 — Geometric SVG Improvement
[ ] 🕐 Pillar 3 — Timezone Logic Optimization
[✓] 🛠️ Other (Bug fix, refactoring, docs)

Visual Preview

Feature / Fix ComponentResolution Details
API Defensive Sanitation (#2095)Introduced strict RegEx patterns and boundary validations inside app/api/streak/png/route.ts to sanitize color inputs and protect canvas rendering engines (resvg-js) against unhandled 500 crashes.

Error Handling: Enhanced stability by preventing unhandled exceptions when processing malformed or malicious image input parameters.

Circuit Breaking: Updated internal validation logic to ensure that unexpected API input patterns are caught before reaching the resource-intensive rendering stage.

Checklist before requesting a review:
[✓] I have read the CONTRIBUTING.md file.
[✓] I have tested these changes locally.
[✓] I have run npm run format and npm run lint locally and resolved all errors.
[✓] My commits follow the Conventional Commits format (e.g., fix(api): implement defensive input sanitation).
[✓] I have starred the repo.
[✓] I have made sure that I have only one commit to merge in this PR.

[vercel]

@shambhushekharsinha-engg is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

[Aamod-Dev]

Labels: level:intermediate · quality:clean · type:bug · type:testing · type:refactor · type:security · mentor:Aamod007

Difficulty — intermediate: Multi-file PR touching production types, middleware tests, and existing test fixtures. The ypes/dashboard.ts change modifies the WrappedStats.totalContributions type from
umber to RepoContribution[]. New middleware test file validates rate limiting, IP extraction from headers (x-forwarded-for, x-real-ip), and 429 responses. Updates to 3 existing test files for type compatibility. Requires understanding the middleware pipeline and type system.

Quality — clean: Comprehensive middleware test suite with 10 test cases covering: rate limit success/failure, header assertion, IP extraction priority (x-forwarded-for > x-real-ip > fallback), whitespace handling in forwarded IPs. The eslint-disable pragma in rustedProxy.empty-fallback.test.ts is a minor but appropriate fix.

Type — bug + testing + refactor + security: Type correction, new middleware tests, and security-relevant IP header handling tests.

Good multi-faceted contribution — approved! ✅

[Aamod-Dev]

Difficulty: intermediate – Implements defensive input sanitation for profile images (#2095).

Quality: clean – Security hardening.

Type: security – Input validation.

Important security fix!

[github-actions]

📦 Next.js Bundle Size Report (Gzipped Sizes)

Asset	PR Size	Base Size	Difference	Status
static/chunks/9389-[hash].js	6.04 KB	5.86 KB	+0.18 KB (+3.00%)	🔴 Regression
static/chunks/95-[hash].js	20.09 KB	19.98 KB	+0.11 KB (+0.55%)	🔴 Regression

📊 Summary of Totals

Category	PR Size	Base Size	Difference
Total JS	3695.31 KB	3694.34 KB	+0.98 KB (+0.03%)
Total CSS	296.06 KB	296.06 KB	0 B

[shambhushekharsinha-engg]

Hi @JhaSourav07 ,

I noticed this PR was closed, but I wanted to let you know that I've successfully resolved all the initial type-checking, linting, and formatting issues. The entire local and remote CI test suite is now 100% green (passing all 7,100+ tests) and the production build compiles perfectly.

Could you please let me know if there's any feedback or if this needs to be reopened/re-submitted? Thank you!

[JhaSourav07]

@shambhushekharsinha-engg

it had merge conflicts.
resubmit it again please

[github-actions]

👋 Hey @shambhushekharsinha-engg! Thanks for your interest in contributing to CommitPulse! 🙏

Unfortunately, this PR has been automatically closed because you are not assigned to the linked issue #2095 — bug: perf(api): add defensive checks and validation for profile image custom URL parameters.

To avoid this in the future, please follow these steps:

1. Claim the issue — Comment /claim on #2095 if you are the issue author, or ask a maintainer to /assign you.
2. Wait for confirmation — The bot will confirm your assignment with a ✅ reply.
3. Then open your PR — Link the issue with Fixes #2095 in your description.

💡 You can be assigned to up to 5 open issues at a time. Check your current assignments before claiming a new one.

We look forward to your contribution once you're assigned! 🚀