Merge pull request #197 from SixLabors/js/fix-195

Ensure invalid format commands don't get processed.
SixLabors · Jan 5, 2022 · 1278001 · 1278001
2 parents fea0207 + e070b9e
commit 1278001
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 13 deletions.
diff --git a/src/ImageSharp.Web/FormatUtilities.cs b/src/ImageSharp.Web/FormatUtilities.cs
@@ -51,14 +51,26 @@ public FormatUtilities(IOptions<ImageSharpMiddlewareOptions> options)
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         public string GetExtensionFromUri(string uri)
         {
+            // TODO: This method should follow TryGet pattern. Fix for V2.
             int query = uri.IndexOf('?');
             ReadOnlySpan<char> path;
 
             if (query > -1)
             {
-                if (uri.Contains(FormatWebProcessor.Format, StringComparison.OrdinalIgnoreCase) && QueryHelpers.ParseQuery(uri.Substring(query)).TryGetValue(FormatWebProcessor.Format, out StringValues ext))
+                if (uri.Contains(FormatWebProcessor.Format, StringComparison.OrdinalIgnoreCase)
+                    && QueryHelpers.ParseQuery(uri.Substring(query)).TryGetValue(FormatWebProcessor.Format, out StringValues ext))
                 {
-                    return ext;
+                    // We have a query but is it a valid one?
+                    ReadOnlySpan<char> extSpan = ext[0].AsSpan();
+                    foreach (string extension in this.extensions)
+                    {
+                        if (extSpan.Equals(extension, StringComparison.OrdinalIgnoreCase))
+                        {
+                            return extension;
+                        }
+                    }
+
+                    return null;
                 }
 
                 path = uri.AsSpan(0, query);

diff --git a/src/ImageSharp.Web/Middleware/ImageSharpMiddleware.cs b/src/ImageSharp.Web/Middleware/ImageSharpMiddleware.cs
@@ -2,7 +2,6 @@
 // Licensed under the Apache License, Version 2.0.
 
 using System;
-using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Globalization;

diff --git a/src/ImageSharp.Web/Processors/FormatWebProcessor.cs b/src/ImageSharp.Web/Processors/FormatWebProcessor.cs
@@ -37,9 +37,7 @@ public class FormatWebProcessor : IImageWebProcessor
         /// </summary>
         /// <param name="options">The middleware configuration options.</param>
         public FormatWebProcessor(IOptions<ImageSharpMiddlewareOptions> options)
-        {
-            this.options = options.Value;
-        }
+            => this.options = options.Value;
 
         /// <inheritdoc/>
         public IEnumerable<string> Commands { get; } = FormatCommands;

diff --git a/tests/ImageSharp.Web.Tests/Helpers/FormatUtilitiesTests.cs b/tests/ImageSharp.Web.Tests/Helpers/FormatUtilitiesTests.cs
@@ -14,7 +14,7 @@ public class FormatUtilitiesTests
         public static IEnumerable<object[]> DefaultExtensions =
             Configuration.Default.ImageFormats.SelectMany(f => f.FileExtensions.Select(e => new object[] { e, e }));
 
-        private static readonly FormatUtilities FormatUtilities = new FormatUtilities(Options.Create(new ImageSharpMiddlewareOptions()));
+        private static readonly FormatUtilities FormatUtilities = new(Options.Create(new ImageSharpMiddlewareOptions()));
 
         [Theory]
         [MemberData(nameof(DefaultExtensions))]
@@ -27,22 +27,29 @@ public void GetExtensionShouldMatchDefaultExtensions(string expected, string ext
         [Fact]
         public void GetExtensionShouldNotMatchExtensionWithoutDotPrefix()
         {
-            const string Uri = "http://www.example.org/some/path/to/bmpimage";
-            Assert.Null(FormatUtilities.GetExtensionFromUri(Uri));
+            const string uri = "http://www.example.org/some/path/to/bmpimage";
+            Assert.Null(FormatUtilities.GetExtensionFromUri(uri));
         }
 
         [Fact]
         public void GetExtensionShouldIgnoreQueryStringWithoutFormatParamter()
         {
-            const string Uri = "http://www.example.org/some/path/to/image.bmp?width=300&foo=.png";
-            Assert.Equal("bmp", FormatUtilities.GetExtensionFromUri(Uri));
+            const string uri = "http://www.example.org/some/path/to/image.bmp?width=300&foo=.png";
+            Assert.Equal("bmp", FormatUtilities.GetExtensionFromUri(uri));
         }
 
         [Fact]
         public void GetExtensionShouldAcknowledgeQueryStringFormatParameter()
         {
-            const string Uri = "http://www.example.org/some/path/to/image.bmp?width=300&format=png";
-            Assert.Equal("png", FormatUtilities.GetExtensionFromUri(Uri));
+            const string uri = "http://www.example.org/some/path/to/image.bmp?width=300&format=png";
+            Assert.Equal("png", FormatUtilities.GetExtensionFromUri(uri));
+        }
+
+        [Fact]
+        public void GetExtensionShouldRejectInvalidQueryStringFormatParameter()
+        {
+            const string uri = "http://www.example.org/some/path/to/image.bmp?width=300&format=invalid";
+            Assert.Null(FormatUtilities.GetExtensionFromUri(uri));
         }
     }
 }