Infrastructure/imageproxy
0
Fork 0
mirror of https://github.com/willnorris/imageproxy.git synced 2025-01-27 23:04:32 -05:00
Code Issues Activity

Prevent pixel flooding attacks by blocking images larger than 10,000x10,000 that need to be transformed

Browse source
This commit is contained in:
Blake Stoddard 2020-12-08 14:02:54 -05:00
parent c08b3c505a
commit b5cd1fe0f9
1 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
transform.go
View file

@ -16,6 +16,7 @@ package imageproxy
import ( import (
"bytes" "bytes"
"errors"
"fmt" "fmt"
"image" "image"
_ "image/gif" // register gif format _ "image/gif" // register gif format
@ -54,6 +55,18 @@ func Transform(img []byte, opt Options) ([]byte, error) {
return img, nil return img, nil
} }
// decode image metadata
imageMeta, _, err := image.DecodeConfig(bytes.NewReader(img))
if err != nil {
return nil, err
}
// prevent pixel flooding attacks
// accept no larger than a 10,000 x 10,000 image
if imageMeta.Width*imageMeta.Height > 100000000 {
return nil, errors.New("image too large")
}
// decode image // decode image
m, format, err := image.Decode(bytes.NewReader(img)) m, format, err := image.Decode(bytes.NewReader(img))
if err != nil { if err != nil {