From d5d15db9fba944658a5c814846c1af664119fd20 Mon Sep 17 00:00:00 2001
From: h4p-t4p <hussam@techforpalestine.org>
Date: Mon, 8 Dec 2025 00:27:11 -0500
Subject: [PATCH] Potential fix for code scanning alert no. 4: Incomplete URL
 substring sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/utils/imageProxy.ts | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/utils/imageProxy.ts b/src/utils/imageProxy.ts
index 22a10e8..0314ac7 100644
--- a/src/utils/imageProxy.ts
+++ b/src/utils/imageProxy.ts
@@ -12,11 +12,20 @@ const WORKER_DOMAIN =
  */
 export function getProxiedImageUrl(notionUrl: string): string {
   // Return original URL if it's already a local path or external URL
+  // Only proxy Notion S3 images by host, not by substring match
+  let host = "";
+  try {
+    const parsedUrl = new URL(notionUrl);
+    host = parsedUrl.host;
+  } catch {
+    // If invalid URL, treat as non-proxyable
+    return notionUrl;
+  }
   if (
     !notionUrl ||
     notionUrl.startsWith("/") ||
-    (!notionUrl.includes("s3.us-west-2.amazonaws.com") &&
-      !notionUrl.includes("prod-files-secure.s3"))
+    (host !== "s3.us-west-2.amazonaws.com" &&
+     host !== "prod-files-secure.s3.amazonaws.com")
   ) {
     return notionUrl;
   }