Thank you for your PR that enables CDN usage for custom emojis.
While your frontend fix correctly requests emoji CDN addresses, I’m concerned about backend security.
The https://meta.discourse.org/emojis.json endpoint still exposes S3 source URLs like //assets-meta-cdck-prod-meta.s3.dualstack.us-west-1.amazonaws.com/original/3X/6/1/61e481320406f0f82ed780db3f04056128191613.png, which could potentially lead to malicious abuse and excessive S3 billing.
For better security, I suggest returning CDN addresses directly, similar to how non-custom emojis are handled.
Here’s my attempt at fixing the code:
class EmojisController < ApplicationController
def index
emojis = Emoji.allowed.group_by(&:group)
emojis.each do |_, emoji_list|
emoji_list.each do |emoji|
emoji.url = Discourse.store.cdn_url(emoji.url) if emoji.url.present?
end
end
render json: MultiJson.dump(emojis)
end
def search_aliases
render json: MultiJson.dump(Emoji.search_aliases)
end
end
Yes I know we do it directly for non custom emoji in emoji.rb which I would prefer than the controller. I want to ensure this is not toing to cause issues though, so I made the simplest fix for now, but will dig this in the future.