Skip to content

Ensure invalid path extensions are skipped when validating input URLs #390

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JimBobSquarePants merged 5 commits into from
Jul 31, 2025
Merged

Ensure invalid path extensions are skipped when validating input URLs #390

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2842b11
Ensure invalid path extensions are skipped. Fix #233
JimBobSquarePants Jul 30, 2025
5ed4b82
Always use first extension
JimBobSquarePants Jul 30, 2025
229d925
Fix test
JimBobSquarePants Jul 30, 2025
628d341
Fix invalid condition
JimBobSquarePants Jul 31, 2025
24a2782
Update ImageSharp reference.
JimBobSquarePants Jul 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions samples/ImageSharp.Web.Sample/Pages/Index.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,10 @@
</div>
<div>
<p>
<code>sixlabors.imagesharp.web.svg?width=300</code>
<code>sixlabors.imagesharp.web.svg?width=300&format=jpg</code>
</p>
<p>
<img src="sixlabors.imagesharp.web.svg" imagesharp-width="300" />
<img src="sixlabors.imagesharp.web.svg" imagesharp-width="300" imagesharp-format="Format.Jpg" />
</p>
</div>
</section>
Expand Down
23 changes: 16 additions & 7 deletions src/ImageSharp.Web/FormatUtilities.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,12 +53,19 @@ public FormatUtilities(IOptions<ImageSharpMiddlewareOptions> options)
[MethodImpl(MethodImplOptions.AggressiveInlining)]
public bool TryGetExtensionFromUri(string uri, [NotNullWhen(true)] out string? extension)
{
// Attempts to extract a valid image file extension from the URI.
// If the path contains a recognized extension, it is used.
// If the path lacks an extension and a query string is present,
// the method checks for a valid 'format' parameter as a fallback.
// Returns true if a supported extension is found in either location.
extension = null;
int query = uri.IndexOf('?');
ReadOnlySpan<char> path;

if (query > -1)
{
path = uri.AsSpan(0, query);

if (uri.Contains(FormatWebProcessor.Format, StringComparison.OrdinalIgnoreCase)
&& QueryHelpers.ParseQuery(uri[query..]).TryGetValue(FormatWebProcessor.Format, out StringValues ext))
{
Expand All @@ -68,15 +75,13 @@ public bool TryGetExtensionFromUri(string uri, [NotNullWhen(true)] out string? e
{
if (extSpan.Equals(e, StringComparison.OrdinalIgnoreCase))
{
// We've found a valid extension in the query.
// Now we need to check the path to see if there is a file extension and validate that.
extension = e;
return true;
break;
}
}

return false;
}

path = uri.AsSpan(0, query);
}
else
{
Expand All @@ -92,13 +97,17 @@ public bool TryGetExtensionFromUri(string uri, [NotNullWhen(true)] out string? e
{
if (pathExtension.Equals(e, StringComparison.OrdinalIgnoreCase))
{
extension = e;
// We've found a valid extension in the path, however we do not
// want to overwrite an existing extension.
extension ??= e;
return true;
}
}

return false;
}

return false;
return extension != null;
}

/// <summary>
Expand Down
2 changes: 1 addition & 1 deletion src/ImageSharp.Web/ImageSharp.Web.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@
<ItemGroup>
<FrameworkReference Include="Microsoft.AspNetCore.App" />
<PackageReference Include="Microsoft.IO.RecyclableMemoryStream" Version="3.0.1" />
<PackageReference Include="SixLabors.ImageSharp" Version="3.1.8" />
<PackageReference Include="SixLabors.ImageSharp" Version="3.1.11" />
</ItemGroup>

<Import Project="..\..\shared-infrastructure\src\SharedInfrastructure\SharedInfrastructure.projitems" Label="Shared" />
Expand Down
9 changes: 8 additions & 1 deletion tests/ImageSharp.Web.Tests/Helpers/FormatUtilitiesTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@

public class FormatUtilitiesTests
{
public static IEnumerable<object[]> DefaultExtensions =

Check warning on line 11 in tests/ImageSharp.Web.Tests/Helpers/FormatUtilitiesTests.cs

View workflow job for this annotation

GitHub Actions / Build (windows-latest, net7.0, true, -x64, true) 

Non-constant fields should not be visible (https://learn.microsoft.com/dotnet/fundamentals/code-analysis/quality-rules/ca2211)
Configuration.Default.ImageFormats.SelectMany(f => f.FileExtensions.Select(e => new object[] { e, e }));

private static readonly FormatUtilities FormatUtilities = new(Options.Create(new ImageSharpMiddlewareOptions()));
Expand Down Expand Up @@ -46,9 +46,16 @@
}

[Fact]
public void GetExtensionShouldRejectInvalidQueryStringFormatParameter()
public void GetExtensionShouldAllowInvalidQueryStringFormatParameterWithValidExtension()
{
const string uri = "http://www.example.org/some/path/to/image.bmp?width=300&format=invalid";
Assert.True(FormatUtilities.TryGetExtensionFromUri(uri, out _));
}

[Fact]
public void GetExtensionShouldRejectInvalidPathWithValidQueryStringFormatParameter()
{
const string uri = "http://www.example.org/some/path/to/image.svg?width=300&format=jpg";
Assert.False(FormatUtilities.TryGetExtensionFromUri(uri, out _));
}
}
Loading