Thumbnailer should use a push based mechanism #1128
Description
The current thumnailer uses a pull based mechanism that fetches an image via CS3+webdav from an internal space and then generates a thumbnail for it.
This requires the thumbnailer service to make requests to other services, which opens up attack vectors in case it gets compromised. Unfortunately creating thumnails requires interpreting user provided bytes, which is a well known attack vector.
In contrast, the antivirus and search service send a byte stream to clamav / tika and get a corresponding response. This allows locking down any container that runs clamav or tika and forbid them from making any external requests.
Our thumbnailer service should work in the same way and make a plain http call to another container/pod/service.
In large deployments the clamav, tika and imagor services could then be shared by all instances and scaled based on load, regardless of any instance health.
We could use https://github.com/cshum/imagor, a Fast, secure image processing server and Go library, using libvips. While it uses the thumbor API it has no way to POST an image, yet: cshum/imagor#383 (comment) We might help with that ... after we do an audit of this dependency, as it seems to be from Hong Kong.
Imagor can cache images on an S3 bucket and there is also https://github.com/cshum/imagorvideo for video thumbnails.
We can use the https://hub.docker.com/r/shumc/imagor/ docker container, which even supports HEIC.