Image Processing Vulnerabilities in content/serializers.py

[monu808]

Terms

• [x] I have searched all open bug reports
• [x] I agree to follow activist's Code of Conduct

Behavior

Description

The scrub_exif() function in backend/content/serializers.py contains security vulnerabilities that could lead to denial of service attacks, memory exhaustion, and bypass of security controls.

Affected Code

The vulnerability occurs in: scrub_exif() function (lines 74-133)

Steps to Reproduce

1. Upload a large image file (>10MB) through any image upload endpoint
2. Upload a non-image file with image extension
3. Upload an image with extremely large dimensions but small file size (decompression bomb)
4. Observe that current code processes these without proper validation

Expected Behavior

• Files exceeding size limits should be rejected with clear error messages
• Non-image files should be detected and rejected

Actual Behavior

• Generic except Exception catches all errors and allows malicious files through
• No file size validation before processing

[andrewtavis]

Hey @monu808 👋 Could you edit the issue text and add some permanent links to the part of the code that you're referring to in the code? Would be really helpful!

Do you have interest in working on this?

[monu808]

Hey @monu808 👋 Could you edit the issue text and add some permanent links to the part of the code that you're referring to in the code? Would be really helpful!

Do you have interest in working on this?

Hey @andrewtavis 👋 — thanks for the feedback!

I’ve added permanent links to the specific part of the scrub_exif() function in backend/content/serializers.py where the vulnerability occurs. Yes, I’d like to work on this issue.

I’ll open a PR with required changes once the links are confirmed and any additional requirements are clarified.

[andrewtavis]

Thanks so much, @monu808 :) Really nice looking issue now. Feel free to open a PR and we'll check it out!