From eab8693424cdc2a4ba9ef2f2b4e3eedde8badb9a Mon Sep 17 00:00:00 2001 From: ausir Date: Wed, 26 Jul 2023 14:56:35 +0800 Subject: [PATCH 1/4] feat: add limits for modifiers and dimensions --- README.md | 15 +++++++++++++++ src/ipx.ts | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/README.md b/README.md index b0fba5c..20dd3f4 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,8 @@ Resize to `200x200px` using `embed` method and change format to `webp`: ### Modifiers +* To prevent server abuse, only width, w, height, h, resize, and s modifiers are enabled by default. Other Modifiers should be defined in the configuration (Config). + | Property | Docs | Example | Comments | | -------------- | :-------------------------------------------------------------- | :--------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | width / w | [Docs](https://sharp.pixelplumbing.com/api-resize#resize) | `/width_200/buffalo.png` | @@ -88,6 +90,8 @@ Config can be customized using `IPX_*` environment variables. - Default: `[]` + - e.g.: `IPX_DOMAINS=https://avatars.githubusercontent.com, https://nuxtjs.org` + - `IPX_MAX_AGE` - Default: `300` @@ -100,6 +104,17 @@ Config can be customized using `IPX_*` environment variables. - Default: `{}` +- `IPX_LIMITS_MODIFIERS` + + - Default: `['width', 'w', 'height', 'h', 'resize', 's']` (Abbreviated modifiers will be treated as distinct variants.) + + - e.g.: `IPX_LIMITS_MODIFIERS=w, enlarge` + +- `IPX_LIMITS_MAX_DIMENSIONS` + + - Default: `8192` (px, Both width and height will use this value.) + + ## License [MIT](./LICENSE) diff --git a/src/ipx.ts b/src/ipx.ts index 0c33001..29c555c 100644 --- a/src/ipx.ts +++ b/src/ipx.ts @@ -35,6 +35,10 @@ export interface IPXOptions { // TODO: Create types // https://github.com/lovell/sharp/blob/master/lib/constructor.js#L130 sharp?: SharpOptions; + limits: { + modifiers: Set; + maxDimensions: number; + }; } // https://sharp.pixelplumbing.com/#formats @@ -57,6 +61,17 @@ export function createIPX(userOptions: Partial): IPX { fetchOptions: getEnvironment("IPX_FETCH_OPTIONS", {}), maxAge: getEnvironment("IPX_MAX_AGE", 300), sharp: {}, + limits: { + modifiers: new Set( + getEnvironment( + "IPX_LIMITS_MODIFIERS", + "width, w, height, h, resize, s" + ) + .split(",") + .map((s) => s.trim()) + ), + maxDimensions: getEnvironment("IPX_LIMITS_MAX_DIMENSIONS", 8192), + }, }; const options: IPXOptions = defu(userOptions, defaults) as IPXOptions; @@ -155,6 +170,7 @@ export function createIPX(userOptions: Partial): IPX { name, args: arguments_, })) + .filter((h) => options.limits.modifiers.has(h.name)) .filter((h) => h.handler) .sort((a, b) => { const aKey = (a.handler.order || a.name || "").toString(); @@ -165,6 +181,27 @@ export function createIPX(userOptions: Partial): IPX { // Apply handlers const handlerContext: any = { meta }; for (const h of handlers) { + switch (h.name) { + case "width": + case "w": + case "height": + case "h": + case "size": + case "s": { + const [width, height] = String(h.args).split("x").map(Number); + if ( + width > options.limits.maxDimensions || + height > options.limits.maxDimensions + ) { + throw createError( + "Request dimensions exceeds the limit.", + 416, + options.limits.maxDimensions.toString() + ); + } + break; + } + } sharp = applyHandler(handlerContext, sharp, h.handler, h.args) || sharp; } From d5c0980dd3cef17f129294cc977e8191da97277d Mon Sep 17 00:00:00 2001 From: ausir Date: Wed, 26 Jul 2023 15:58:01 +0800 Subject: [PATCH 2/4] fix: Avoiding breaking changes --- README.md | 2 +- src/ipx.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 20dd3f4..2e10ffc 100644 --- a/README.md +++ b/README.md @@ -106,7 +106,7 @@ Config can be customized using `IPX_*` environment variables. - `IPX_LIMITS_MODIFIERS` - - Default: `['width', 'w', 'height', 'h', 'resize', 's']` (Abbreviated modifiers will be treated as distinct variants.) + - Default: `['width', ' w', ' height', ' h', ' resize', ' s', ' fit', ' position', ' pos', ' trim', ' extend', ' extract', ' format', ' f', ' quality', ' q', ' rotate', ' enlarge', ' flip', ' flop', ' sharpen', ' median', ' blur', ' gamma', ' negate', ' normalize', ' threshold', ' tint', ' grayscale', ' animated']` (Abbreviated modifiers will be treated as distinct variants.) - e.g.: `IPX_LIMITS_MODIFIERS=w, enlarge` diff --git a/src/ipx.ts b/src/ipx.ts index 29c555c..f1b6ba3 100644 --- a/src/ipx.ts +++ b/src/ipx.ts @@ -65,7 +65,7 @@ export function createIPX(userOptions: Partial): IPX { modifiers: new Set( getEnvironment( "IPX_LIMITS_MODIFIERS", - "width, w, height, h, resize, s" + "width, w, height, h, resize, s, fit, position, pos, trim, extend, extract, format, f, quality, q, rotate, enlarge, flip, flop, sharpen, median, blur, gamma, negate, normalize, threshold, tint, grayscale, animated" ) .split(",") .map((s) => s.trim()) From 9e20841f670be75e32495748350ebafa170664ef Mon Sep 17 00:00:00 2001 From: ausir Date: Wed, 26 Jul 2023 15:59:29 +0800 Subject: [PATCH 3/4] remove note --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 2e10ffc..574ab99 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,6 @@ Resize to `200x200px` using `embed` method and change format to `webp`: ### Modifiers -* To prevent server abuse, only width, w, height, h, resize, and s modifiers are enabled by default. Other Modifiers should be defined in the configuration (Config). | Property | Docs | Example | Comments | | -------------- | :-------------------------------------------------------------- | :--------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------- | From 5af59c2bf100c9acd4ae757860f738fefa642835 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Chopin?= Date: Thu, 27 Jul 2023 16:50:22 +0200 Subject: [PATCH 4/4] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 574ab99..911c8a0 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,7 @@ Config can be customized using `IPX_*` environment variables. - Default: `[]` - - e.g.: `IPX_DOMAINS=https://avatars.githubusercontent.com, https://nuxtjs.org` + - e.g.: `IPX_DOMAINS=https://avatars.githubusercontent.com, https://nuxt.com` - `IPX_MAX_AGE`