Filter and validate Pollinations style refs for nova-reel (PNG-only) and improve messaging#146
Filter and validate Pollinations style refs for nova-reel (PNG-only) and improve messaging#146Mork-Zuckerbarge wants to merge 1 commit into
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d538cc3dfb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| async function detectRemoteMimeType(url: string): Promise<string | null> { | ||
| const attempt = async (method: "HEAD" | "GET"): Promise<string | null> => { | ||
| const res = await fetch(url, { method, cache: "no-store" }); |
There was a problem hiding this comment.
The new MIME check fetches every style URL server-side, but those URLs are user-controlled via /api/app/style-pack JSON input (see mork-app/src/app/api/app/style-pack/route.ts lines 24-33) and there is no auth gate on that route. This introduces a blind SSRF path that did not exist before: an external caller can store http(s) targets on internal network ranges and trigger backend requests whenever a nova-reel video is generated. Please add URL allowlisting/private-range blocking (or avoid server-side fetch of untrusted URLs).
Useful? React with 👍 / 👎.
| for (const ref of refs) { | ||
| const mimeType = await detectRemoteMimeType(ref); |
There was a problem hiding this comment.
Each style reference is probed sequentially with await detectRemoteMimeType(ref) and the probe uses fetch without any timeout/abort, so one slow or blackholed URL can stall generateVideo for a long time; with multiple refs this delay compounds. Because style-pack URLs are persisted and reused, a single bad URL can repeatedly degrade or effectively DoS video generation for all users until manually removed. Add per-request timeouts and/or parallel probing with a strict overall cap.
Useful? React with 👍 / 👎.
1 participant
Motivation
nova-reelvideo failures by ensuring style/reference URLs are PNG images and providing actionable guidance when they are not.Description
detectRemoteMimeTypeto probe remote URLs (viaHEADthenGET) and determine theircontent-typeheader.normalizeVideoStyleReferencesto filterMEDIA_STYLE_IMAGE_URLSdown toimage/pngonly whenMEDIA_VIDEO_MODELisnova-reel, and wired it intogenerateVideo.generateVideoto surface a clear message when Pollinations rejects requests due to non-PNG style images fornova-reel.mork-app/README.mdandmork-app/env.exampleto document thenova-reelPNG-only requirement and provide an exampleMEDIA_STYLE_IMAGE_URLSentry.Testing
npm run build, which completed successfully.npm run lint, which completed successfully.Codex Task