How to prevent ImageSharp Web from resizing to certain sizes?

[shapeh]

I am new to ImageSharp.Web and want to resize images on my ASP.NET Core 5.0 website. (posted this question on SO as well: https://stackoverflow.com/questions/66284106/how-to-prevent-imagesharp-web-from-resizing-to-certain-sizes)

To prevent DDoS (Distributed Denial of Service attacks), I would like to restrict the sizes that ImageSharp.Web can resize too.

For example I have an image with an original size of 800x400 (100kb) that I am resizing using the following:

<img src="image.jpg?width=300&height=300" alt="..." /> // image will be 40 kb, bandwidth saved yay!

The problem is if an evil user decides to request the image with:

<img src="image.jpg?width=8000&height=4000" alt="..." /> // 8,000 x 4,000 => image is now 2mb

If that user request this image with 'high-numbered' pixel sizes (7000,7001,7002...8000} say 10,000 times the server will become non-responsive due to memory exhausting and bandwidth usage.

1. How can I restrict ImageSharp.Web to not resize images above their original size?
2. How can I restrict ImageSharp.Web to only resize images to e.g. 300x300, and 300x600?

I don't see any configurable options for that in ImageSharp.Web (https://docs.sixlabors.com/articles/imagesharp.web/gettingstarted.html).

My startup.cs:

    public void ConfigureServices(IServiceCollection services)
    {

        // ....

        services.AddImageSharp();

    }

[JimBobSquarePants]

Hi @shapeh

The place your are looking for is actually on that page. It's the options.OnParseCommandsAsync function.

We actually do some default sanitation to help reduce potential attack vectors (and disallow that specific evil user) but you can implement custom rules you want there instead. Here's the default method.

ImageSharp.Web/src/ImageSharp.Web/Middleware/ImageSharpMiddlewareOptions.cs

Lines 20 to 44 in b72064b

	private Func<ImageCommandContext, Task> onParseCommandsAsync = c =>
	{
	if (c.Commands.Count == 0)
	{
	return Task.CompletedTask;
	}
	// It's a good idea to have this to provide very basic security.
	// We can safely use the static resize processor properties.
	uint width = c.Parser.ParseValue<uint>(
	c.Commands.GetValueOrDefault(ResizeWebProcessor.Width),
	c.Culture);
	uint height = c.Parser.ParseValue<uint>(
	c.Commands.GetValueOrDefault(ResizeWebProcessor.Height),
	c.Culture);
	if (width > 4000 && height > 4000)
	{
	c.Commands.Remove(ResizeWebProcessor.Width);
	c.Commands.Remove(ResizeWebProcessor.Height);
	}
	return Task.CompletedTask;
	};

However this doesn't allow you to prevent upscaling since we haven't attempted to decode the image at this point so do not know anything about it. You would have to implement your own version of the ResizeWebProcessor class (inheriting should be fine since it's not sealed) and override this method. You can remove the original and register your own as described in the documentation.

ImageSharp.Web/src/ImageSharp.Web/Processors/ResizeWebProcessor.cs

Lines 69 to 84 in b72064b

	public FormattedImage Process(
	FormattedImage image,
	ILogger logger,
	IDictionary<string, string> commands,
	CommandParser parser,
	CultureInfo culture)
	{
	ResizeOptions options = GetResizeOptions(commands, parser, culture);
	if (options != null)
	{
	image.Image.Mutate(x => x.Resize(options));
	}
	return image;
	}

Hope that makes it clear.

P.S I transferred the discussion here. Each repository has its own distinct discussions channel.

[JimBobSquarePants]

You haven't removed the original processor so it's still intercepting the call.

services.AddImageSharp()
        .RemoveProcessor<ResizeWebProcessor>()
        .AddProcessor<ResizeWebCustomProcessor>();

Since you are not preventing upscaling and only restricting sizes to a certain subset of values I would strongly recommend using onParseCommandsAsync instead since that will prevent the middleware from even decoding the source image. This is much more efficient.

[shapeh]

Oh I missed .RemoveProcessor<ResizeWebProcessor>() :)

• to use the onParseCommandsAsync - I am not really sure how to do that. Should I do a ImageSharpMiddlewareCustomOptions.cs or is there a way to override this? (Sorry, I am not sure how to do this).
  Otherwise, thanks so much for this library and all the work you and the team is putting in it.

[JimBobSquarePants]

No, you do it on registration. options is the ImageSharpMiddlewareOptions containing the function we'll replace.

This should do it. Now you don't need your custom processor.

services.AddImageSharp(
   options =>
   {
       options.OnParseCommandsAsync = c =>
       {
           if (c.Commands.Count == 0)
           {
               return Task.CompletedTask;
           }

           uint width = c.Parser.ParseValue<uint>(
               c.Commands.GetValueOrDefault(ResizeWebProcessor.Width),
               c.Culture);

           uint height = c.Parser.ParseValue<uint>(
               c.Commands.GetValueOrDefault(ResizeWebProcessor.Height),
               c.Culture);

           List<Size> allowedSizes = new List<Size> { new Size(300, 600), new Size(300, 300) };
           if (!allowedSizes.Any(x => x.Width == width && x.Height == height))
           {
               c.Commands.Remove(ResizeWebProcessor.Width);
               c.Commands.Remove(ResizeWebProcessor.Height);
           }

           return Task.CompletedTask;
       };
   });

[shapeh]

This work like a charm and elegant too! Thank you so much. If we ever meet in real life I will buy you a beer!

[eslam82badawy]

this is Perfect Solution ,
if you would allow me to add other hint to to put a max size to Full HD Sizes Only
based on your brillante solution like the following :
`

       List<Size> allowedSizes = new List<Size> { new Size(1920, 1080), new Size(1080, 1920) };
       if (!allowedSizes.Any(x => x.Width >= width && x.Height >= height))
       {
           c.Commands.Remove(ResizeWebProcessor.Width);
           c.Commands.Remove(ResizeWebProcessor.Height);
       }
       return Task.CompletedTask;

`