willnorris
Prevent pixel flood attacks
Presenting large images to ImageProxy that need transformations will cause ImageProxy to crash in some environments, resulting in a DoS attack -- https://gist.github.com/blakestoddard/a2cb5b98eaf335f0f474fcd09c1a751b using https://a.uguu.se/cGlgezGk.jpg (temp link that will expire, but it's a 64250x64250 image).
An easy fix is to halt transform operations for images over a certain pixel threshold. The 10000x10000 that I chose here is arbitrary, I only picked it since it matches the policy that we use internally for other things like ImageMagick.
By returning an error from Transform(), we prevent ImageProxy from crashing while still serving the original requested, untransformed image.
Codecov Report
Merging #254 (8572c5b) into main (c08b3c5) will decrease coverage by
0.24%. The diff coverage is100.00%.
@@ Coverage Diff @@
## main #254 +/- ##
==========================================
- Coverage 87.27% 87.03% -0.25%
==========================================
Files 6 6
Lines 503 509 +6
==========================================
+ Hits 439 443 +4
- Misses 36 37 +1
- Partials 28 29 +1
| Impacted Files | Coverage Δ | |
|---|---|---|
| transform.go | 88.48% <100.00%> (-0.83%) |
:arrow_down: |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact),ø = not affected,? = missing dataPowered by Codecov. Last update c08b3c5...3b16e68. Read the comment docs.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Bump! Would love to see this merged, or let me know how we can get it there.
Similar to my comment on #286, if you're trying to prevent abuse, why isn't the solution request signatures? Sure we could prevent requests larger than 10000x10000, but that still doesn't prevent an attack requesting 9999x9999 images with random other transformations that will bypass the cache.
