Skip to content

Latest commit

 

History

History
116 lines (85 loc) · 5.77 KB

mitigations.md

File metadata and controls

116 lines (85 loc) · 5.77 KB

Mitigation Strategies Analysis for sixlabors/imagesharp

Mitigation Strategy: Image Dimension Limits (within ImageSharp processing)

Description:

  1. Define MAX_WIDTH and MAX_HEIGHT constants (or configuration settings).
  2. Use Image.Identify(stream) to obtain image dimensions without fully loading the image. This is crucial for efficiency.
  3. Compare the obtained width and height against MAX_WIDTH and MAX_HEIGHT.
  4. If either exceeds the limits, immediately throw a custom exception (e.g., ImageTooLargeException) or return an error. Do not proceed with further ImageSharp processing.
  5. Log the rejection.

  • Threats Mitigated:

    • Denial of Service (DoS) - Resource Exhaustion (High Severity): Prevents processing of extremely large images that consume excessive memory/CPU.
    • Decompression Bomb (variant of DoS) (High Severity): Mitigates images that are small on disk but expand to huge sizes in memory.
    • Performance Degradation (Medium Severity): Reduces processing time.

  • Impact:

    • DoS - Resource Exhaustion: Risk significantly reduced.
    • Decompression Bomb: Risk significantly reduced.
    • Performance Degradation: Noticeable performance improvement.

  • Currently Implemented:

    • Implemented in ImageUploadService.cs, ProcessUploadedImage method. Constants MAX_WIDTH = 2048, MAX_HEIGHT = 2048. Image.Identify used. ImageTooLargeException thrown.

  • Missing Implementation:

    • Missing in ThumbnailService.cs.

Mitigation Strategy: Pixel Format Restrictions

Description:

  1. Identify the required pixel formats (e.g., Rgba32, Bgr24).
  2. Create a custom Configuration instance for ImageSharp.
  3. Within the Configuration, register only the IImageDecoder implementations for the allowed formats. Do not use the default configuration.
  4. Use this custom Configuration when loading/processing images.

  • Threats Mitigated:

    • Code Execution Vulnerabilities (High Severity): Reduces the attack surface by limiting executed code paths within ImageSharp.
    • Denial of Service (DoS) (Medium Severity): Prevents exploiting computationally expensive formats.
    • Information Disclosure (Low Severity): Mitigates vulnerabilities in obscure format handling.

  • Impact:

    • Code Execution Vulnerabilities: Attack surface significantly reduced.
    • DoS: Some improvement in DoS resilience.
    • Information Disclosure: Minor risk reduction.

  • Currently Implemented:

    • Not implemented. Default ImageSharp configuration is used.

  • Missing Implementation:

    • Needs global implementation. Establish a central location for ImageSharp configuration.

Mitigation Strategy: Frame Count Limits (Animated Formats)

Description:

  1. Define a MAX_FRAMES constant (or configuration setting).
  2. After loading an image, check image.Frames.Count.
  3. If image.Frames.Count exceeds MAX_FRAMES, reject the image (throw exception/return error).
  4. Log the rejection.

  • Threats Mitigated:

    • Denial of Service (DoS) - Resource Exhaustion (High Severity): Prevents processing of animated images with excessive frame counts.

  • Impact:

    • DoS - Resource Exhaustion: Risk significantly reduced for animated formats.

  • Currently Implemented:

    • Partially implemented in GifProcessingService.cs. Limit hardcoded and too high (MAX_FRAMES = 1000).

  • Missing Implementation:

    • Limit should be configurable.
    • Missing for animated WebP images (WebPService.cs).

Mitigation Strategy: Metadata Handling (Strip or Whitelist)

Description:

  1. Option A (Strip Metadata): Use image.Mutate(x => x.RemoveMetadata()) to remove all metadata.
  2. Option B (Whitelist Metadata):
    • Define a list of AllowedMetadataKeys.
    • Iterate through metadata entries.
    • If a key is not in AllowedMetadataKeys, remove the entry.
    • If a key is allowed, sanitize the value before use.

  • Threats Mitigated:

    • Information Disclosure (Medium Severity): Prevents leakage of sensitive information in metadata.
    • Code Execution Vulnerabilities (Low Severity): Reduces attack surface by limiting metadata processing.

  • Impact:

    • Information Disclosure: Risk significantly reduced.
    • Code Execution Vulnerabilities: Minor risk reduction.

  • Currently Implemented:

    • No metadata handling implemented. Metadata is preserved.

  • Missing Implementation:

    • Needs implementation where images are processed and metadata is accessed. Decide between stripping or whitelisting.

Mitigation Strategy: Disable Unnecessary Features

Description:

  1. Review ImageSharp's documentation and identify unused features (encoders, decoders, processing operations).
  2. Use ImageSharp's configuration options (custom Configuration instance) to disable these features.

  • Threats Mitigated:

    • Code Execution Vulnerabilities (High Severity): Reduces the attack surface.
    • Denial of Service (DoS) (Medium Severity): May improve performance.

  • Impact:

    • Code Execution Vulnerabilities: Attack surface reduced.
    • DoS: Potential for minor performance improvements.

  • Currently Implemented:

    • Not implemented. Default ImageSharp configuration is used.

  • Missing Implementation:

    • Requires review of ImageSharp features and application requirements. Implement during ImageSharp setup.