Hey,
in src/controllers/ImageController.php, you read from a file with unsanitized user input. Even if it's not super exploitable as you append static strings I would prefere some user input validation. You can copy/paste from the docs:
https://docs.craftcms.com/api/v3/craft-web-response.html#method-sendfile
I hope we left the time where you can send null bytes to php with %00.
Hey, in src/controllers/ImageController.php, you read from a file with unsanitized user input. Even if it's not super exploitable as you append static strings I would prefere some user input validation. You can copy/paste from the docs: https://docs.craftcms.com/api/v3/craft-web-response.html#method-sendfile I hope we left the time where you can send null bytes to php with %00.