Merge pull request #43 from dustout/feature/20250524-added-sanity-checks

dustout · web-flow · commit e639e8f63b30 · 2025-05-24T09:17:27.000-06:00
Added sanity check to width and height
diff --git a/CommonImageActions.AspNetCore/CommonImageActionSettings.cs b/CommonImageActions.AspNetCore/CommonImageActionSettings.cs
@@ -40,6 +40,10 @@ public string PathToWatch
 
         public static string DefaultDiskCacheLocation { get; set; }
 
+        public static int MaxUrlWidth { get; set; } = 5000;
+
+        public static int MaxUrlHeight { get; set; } = 5000;
+
         public static string[] ValidImageExtensions = {
             ".bmp",
             ".gif",
diff --git a/CommonImageActions.AspNetCore/CommonImageActionsMiddleware.cs b/CommonImageActions.AspNetCore/CommonImageActionsMiddleware.cs
@@ -281,13 +281,21 @@ public static ImageActions ConvertQueryStringToImageActions(string queryString,
             var widthString = query["width"] ?? query["w"];
             if (int.TryParse(widthString, out int width))
             {
-                imageActions.Width = width;
+                //sanity check to make sure no bad actor requests a number that may eat all the ram in the system
+                if(width < CommonImageActionSettings.MaxUrlWidth)
+                {
+                    imageActions.Width = width;
+                }
             }
 
             var heightString = query["height"] ?? query["h"];
             if (int.TryParse(heightString, out int height))
             {
-                imageActions.Height = height;
+                //sanity check to make sure no bad actor requests a number that may eat all the ram in the system
+                if (width < CommonImageActionSettings.MaxUrlHeight)
+                {
+                    imageActions.Height = height;
+                }
             }
 
             var pageString = query["Page"] ?? query["p"];

Original file line number	Diff line number	Diff line change
`@@ -281,13 +281,21 @@ public static ImageActions ConvertQueryStringToImageActions(string queryString,`
`281`	`281`	`var widthString = query["width"] ?? query["w"];`
`282`	`282`	`if (int.TryParse(widthString, out int width))`
`283`	`283`	`{`
`284`		`- imageActions.Width = width;`
	`284`	`+ //sanity check to make sure no bad actor requests a number that may eat all the ram in the system`
	`285`	`+ if(width < CommonImageActionSettings.MaxUrlWidth)`
	`286`	`+ {`
	`287`	`+ imageActions.Width = width;`
	`288`	`+ }`
`285`	`289`	`}`
`286`	`290`
`287`	`291`	`var heightString = query["height"] ?? query["h"];`
`288`	`292`	`if (int.TryParse(heightString, out int height))`
`289`	`293`	`{`
`290`		`- imageActions.Height = height;`
	`294`	`+ //sanity check to make sure no bad actor requests a number that may eat all the ram in the system`
	`295`	`+ if (width < CommonImageActionSettings.MaxUrlHeight)`
	`296`	`+ {`
	`297`	`+ imageActions.Height = height;`
	`298`	`+ }`
`291`	`299`	`}`
`292`	`300`
`293`	`301`	`var pageString = query["Page"] ?? query["p"];`