Following links on overlay image.

[Cruuncher]

The willingness for the system to follow links when resolving overlay images allows for fairly simple and potent denial of service attacks.

For example, using a url shortener I was able to craft the following URL https://ppaas.herokuapp.com/partyparrot?overlay=https://tiny.cc/FaCzXsWad which hangs the API. Would be fairly easy to deny service completely with just a few calls to the server. The link in the overlay maps back to the full url.

Either redirects should never be followed, or the redirect needs to be checked for self reference.