SixLabors.ImageSharp.Drawing has potential vulnerability

danielpalme / ReportGenerator

ReportGenerator converts coverage reports generated by coverlet, OpenCover, dotCover, Visual Studio, NCover, Cobertura, JaCoCo, Clover, gcov or lcov into human readable reports in various formats.

https://reportgenerator.io

Apache License 2.0

2.56k stars 279 forks source link

SixLabors.ImageSharp.Drawing has potential vulnerability #627

Closed plade closed 11 months ago

plade commented 11 months ago

Describe the bug SixLabors.ImageSharp.Drawing version needs to be upgraded to 2.0.0 or later. Previous versions use SixLabors.ImageSharp with a potential vulnerability that was fixed in PR https://github.com/SixLabors/ImageSharp/pull/2524

plade commented 11 months ago

It looks like SixLabors.ImageSharp.Drawing is not netstandard anymore, so this will need a bit more work than just upgrading the package.

danielpalme commented 11 months ago

I think that's a minor issue.

ReportGenerator uses ImageSharp to generate images/badges. It does not process arbitrary images from outside. So it's not possible to exploit the vulnerability in this context.

plade commented 11 months ago

Yes I believe it's quite a non-issue.

Would you mind if I tried to contribute and fix it as a small project for myself?

danielpalme commented 11 months ago

Sure. Maybe there a way to replace ImageSharp completely, as it's only used for some simple rendering.

danielpalme commented 11 months ago

I think I will remove ImageSharp completely. It's only used for:

some PNG badges. They already have an SVG alternative.
A PNG chart. This can be also replaced by an SVG image.

danielpalme commented 11 months ago

Made the necessary changes in ae8c4fc.

Report type PngChart is now replaced with SvgChart.
Badges in PNG format are no longer generated
Fallback PNG history charts (only visible in HTML report, if JavaScript is disabled) are also in SVG format (and look much better now)