Munter
commented
10 years ago :thumbsup: from here :)
Open papandreou opened 10 years ago
Munter
commented
10 years ago :thumbsup: from here :)
papandreou
commented
8 years ago Actually, let's keep this open until all parameters are validated.
dbohannon
commented
7 years ago What's the current status with respect to hardening this package for use in production environments? I don't see any instances where remote code execution is possible. It looks like all parameters are passed to other dependency functions rather than to command line tools. Is this correct? Is the statement "Parts of the query string will be passed directly to various command line tools." in the README still accurate?
papandreou
commented
7 years ago The current status is that a bunch of graphicsmagick operations and all parameters related to pngcrush, pngquant, jpegtran, optipng, svgfilter, and inkscape aren't validated: https://github.com/papandreou/express-processimage/blob/cbd932d29083583a480315b64a3500ff471590a4/lib/getFilterInfosAndTargetContentTypeFromQueryString.js#L145-L361
... so all of those should be considered unsafe.
However, I'm running it in production myself with a conservative whitelist of allowed operations configured via the allowOperation option:
const allowedOperations = [
'withoutEnlargement',
'progressive',
'ignoreAspectRatio',
'interpolateWith',
'metadata',
'resize',
'extract',
'crop',
'rotate',
'quality',
'format',
'png',
'jpeg',
'gm'
];
const app = require('express')().use(require('express-processimage')({
allowOperation: (name, args) => {
return allowedOperations.indexOf(name) !== -1;
}
}));Remember to specify maxInputPixels and maxOutputPixels as well.
inkscapeandsvgfilterdon't have to be exposed in cases where they aren't neededgm -limit Pixels <numberOfPixels>.