cshum / imagor

Fast, secure image processing server and Go library, using libvips
Apache License 2.0
3.46k stars 138 forks source link

Allow POSTing image #383

Open tgulacsi opened 1 year ago

tgulacsi commented 1 year ago

Sorry for my incompetence, but why is POSTing explicitly forbidden? For me it'd be way easier to POST the image to be transformed.

cshum commented 1 year ago

imagor is designed for transforming images on public endpoints. POST method can raise significant security concerns, making it unsuitable for public requests.

However, it's worth noting that the POST method may be appropriate between private microservices. This could be a feature considered for implementation, though it should be made opt-in through configuration. And the security implications must be effectively managed.

tgulacsi commented 1 year ago

You mean that the URL of the image to be transformed is filtered according to the configuration, and POSTing would allow any image to be transformed?

So, either opt-in in configuration as "unsafe-POST", or require the same HASH method for POST-ing: allow POSTing to base-url/HASH only, and check that HASH is the same as the uploaded file's hash ?

cshum commented 1 year ago

The POST endpoint may looks like this:

POST http://localhost:8000/unsafe/fit-in/200x200/filters:fill(white)

Where image key is empty. But security hash requires image key to be in place. So opt-in for POST means only unsafe option available. This is also to align with the expectation that POST is insecure. It also means bypassing Storage & Result Storage, given image key is non-existent.

All in all POST requires a pretty big change to the current architecture.

morki commented 5 months ago

This would be awesome, we would like to use in as microservice, POST content and get another back to store in our system.

Qubitium commented 2 months ago

I still fail to understand the security implications of exposing pushing image via POST. How is pushing a byte array to an image processor via POST less secure than the image processor pulling the same image via public url via GET? If attacker wants to process an image, it will get in regardless.

This appears to be a cache/key issue and not a security one.