search

cshum / imagor

Fast, secure image processing server and Go library, using libvips
Apache License 2.0
3.28k stars 122 forks source link

Feature: Omit auto format (webp and avif) for SVG files #381

Open chladog opened 11 months ago

chladog commented 11 months ago

Hello, loving your great work and thank you for it! After using it for a while I encoutered a fewproblems - here are ideas for additional betterment:

Omit SVG from auto-format

We are using IMAGOR_AUTO_WEBP=1 and IMAGOR_AUTO_AVIF=1. It's working great for bitmap images, however I'm in need of an option to omit this behavior for vector SVG images as most of the time it makes more sense to just render SVGs as is - filesize often smaller than bitmap, and render quality always better. Obviously the conversion would happen if there is any manipulation or processing filter used (maybe pure SVG manipulation in the future? ;-) )

Ideally such feature would even take a configurable filesize limit and overly complex SVGs over the limit (like filesize over 0.5 MB) would actually be converted, however the small enough images like icons, logos would be kept as SVG.

~~## Better quality SVG2Bitmap Additionally it would be great to overall enhance the quality of the SVG to bitmap conversion currently produces blurred images even on 1:1.~~

~~## Fetching original files In our current deployment we are storing images to private S3 bucket exclusively, and we cannot make it public and we need to protect the originals also by HASH. It would be very handy to be able to get the original file skipping any processing (except the signature verification) through Imagor - something like /original/PATH2FILE. (obviously such feature would idealy be possibe to disable in config)~~

Would you consider these features?

cshum commented 11 months ago

The following filters may satisify some of the goal. Would you try it out?

raw() response with a raw unprocessed and unchecked source image. Image still loads from loader and storage but skips the result storage

Adding raw() filter would allow fetching original files.

Loading original file should be disabled by default hence only accessible via filter. Because untrusted SVG can very easily contains malicious code.

dpi(num) specify the dpi to render at for PDF and SVG

The default dpi for PDF/SVG is 72, this filter allow specifying for a higher dpi.

Though it may be a good idea to allow setting a default config for default dpi.

chladog commented 11 months ago

The following filters may satisify some of the goal. Would you try it out?

raw() response with a raw unprocessed and unchecked source image. Image still loads from loader and storage but skips the result storage

Adding raw() filter would allow fetching original files.

Loading original file should be disabled by default hence only accessible via filter. Because untrusted SVG can very easily contains malicious code.

dpi(num) specify the dpi to render at for PDF and SVG

The default dpi for PDF/SVG is 72, this filter allow specifying for a higher dpi.

Though it may be a good idea to allow setting a default config for default dpi.

Hello, I feel a little dumb, that I missed the raw() and dpi() filters, so sorry for that, that's great and kind of what I need. Definitely being able to set the default dpi would be great, as the client doesn't necessarily know the mimetype in advance and adding it to all urls feels redundant.

Still the first feature stands as would be very useful, as the client doesn't necessarily know the mimetype in advance (we don't include extensions as it's confusing to serve WebP with .PNG extension for example), and therefore doesn't know for which image raw() should be set. I understand your security concern about malicious code, but for example in our environment we have absolute control on what files get in the source bucket it's either from a trusted source or potentially security check can be implemented on uploading. Additionally the conditional conversion based on SVG filesize would be real sweet. I know I could serve SVG outside Imagor completely, but still want to

  1. have it protected with hash
  2. have consistent client-side codebase for all mimetypes (same image host, processing, signatures)
  3. actually be able to use format conversion or filters on SVGs if needed

Config flag like RAW_UNTIL=svg:512000,pdf:256000 where you set the comma separated list of format and filesize in bytes would be perfect, then you could use same for other formats as well.. If not set default current behavior ofc.

binaryfire commented 8 months ago

I'm in the same situation. Only admins are able to upload SVGs in our app so handling this automatically via a config setting would be great.