activist icon indicating copy to clipboard operation
activist copied to clipboard

Published 20 hours ago verified publisher icon activist-org

fix: enhance image processing and file validation in scrub_exif function

Open monu808 opened this issue 1 month ago • 3 comments

Fixes #1561

Problem

The scrub_exif() function had security vulnerabilities:

  • Generic except Exception silently returned unprocessed files with EXIF intact
  • No file size validation (DoS risk)
  • No format allowlist (malicious file uploads)
  • No decompression bomb protection (memory exhaustion)
  • Silent failures allowed bypassing security checks

Solution

Complete refactor with security-first approach:

  1. Pre-processing validation: File size check before loading into memory
  2. Format allowlist: Only JPEG, PNG, WEBP allowed
  3. Decompression bomb protection: Catches DecompressionBombError + pixel count check
  4. Specific exception handling:
    • UnidentifiedImageError - Invalid images
    • DecompressionBombError - Decompression bombs
    • OSError - System errors
    • MemoryError - Memory exhaustion
  5. No silent failures: All errors raise ValidationError
  6. Security logging: All events logged for monitoring

@andrewtavis I checked the solution by creating a test file and it passed all the test. Kindly review it if find any dicrepancies I'll fix it. Thank you..

monu808 avatar Oct 10 '25 09:10 monu808

Deploy Preview for activist-org canceled.

Name Link
Latest commit 64fdb51dde66a3bc7a0123788ebe80acc6f7752e
Latest deploy log https://app.netlify.com/projects/activist-org/deploys/68e8cfab0fd35200083776da

netlify[bot] avatar Oct 10 '25 09:10 netlify[bot]

Thank you for the pull request! ❤️

The activist team will do our best to address your contribution as soon as we can. If you're not already a member of our public Matrix community, please consider joining! We'd suggest that you use the Element client as well as Element X for a mobile app, and definitely join the General and Development rooms once you're in. Also consider attending our bi-weekly Saturday developer syncs! It'd be great to meet you 😊

github-actions[bot] avatar Oct 10 '25 09:10 github-actions[bot]

Maintainer Checklist

The following is a checklist for maintainers to make sure this process goes as well as possible. Feel free to address the points below yourself in further commits if you realize that actions are needed :)

  • [ ] The TypeScript, pytest and formatting workflows within the PR checks do not indicate new errors in the files changed

  • [ ] The Playwright end to end and Zap penetration tests have been ran and are passing (if necessary)

  • [ ] The changelog has been updated with a description of the changes for the upcoming release and the corresponding issue (if necessary)

github-actions[bot] avatar Oct 10 '25 09:10 github-actions[bot]