-
Notifications
You must be signed in to change notification settings - Fork 484
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Denial of Service by Rendering Image that have very big pixel #357
Comments
Yes, it's true that if you run an open proxy, an attacker could use it to load a malicious image. The proper protection for that is to use host allow lists and/or request signatures so that attackers can't proxy arbitrary URLs |
I got a report a few months ago about a similar issue, but I think it was more performance related. But in any event, there's certainly some optimization to be had by not immediately reading the fill remote image into memory here. We could pass an io.Reader to Transform, and probably read out the image dimensions before loading the full image, which would let us put some additional maximum dimension controls in place. We can leave this open to track that work, but if anyone is actually concerned about the security aspects of this, they see the above comment about host allow lists and request signatures. |
After local testing above jpg image using master branch. I got following output, no crash yet.
I have download the lottapixel.jpg (5 KB) from https://hackerone.com/reports/390 Maybe it's already fixed ? |
It might have been fixed in the upstream image package? I haven't done anything specific in imageproxy for this. |
Description
There is Denial of Service (DoS) because
imageproxy
didn't check the size of the pixel imageAffected version
Latest version (0.11.2)
CVSS Score
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - 6.5 MEDIUM
Steps to Reproduce
Proof of Concept
Remediation
Check the pixel of the image first, if the image has a large pixel, drop the request.
Reference
The text was updated successfully, but these errors were encountered: