Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The way that assets are resized and cropped enables any user to potentially overflow the server #3040

Closed
hsensh opened this issue Sep 2, 2024 · 1 comment
Closed

The way that assets are resized and cropped enables any user to potentially overflow the server #3040

hsensh opened this issue Sep 2, 2024 · 1 comment
Assignees
@benjaminraffetseder
Labels
P2: important Critical issue which does not affect majority of users type: feature ✨ type: security 🔐
Milestone
v3.1.0

Comments

@hsensh
Copy link
Contributor

hsensh commented Sep 2, 2024

I was looking into the way assets are cropped and resized, and I think the preview presets are a genius idea to handle different preset images, however, the fact that I can, without any admin authentication, do this: https://asset-url/?w=50&h=50&mode=crop, I can do a million of these calls with different sizes through any script, and potentially overflow the server with unsolicited files. A non-authenticated user should not be allowed to add new files to the server if it doesn't have the right to, especially when this cannot be controlled or limited from within the configuration as far as I could see, right? All that aside from the actual processing power it takes to resize and crop images on the fly which could also overflow the CPU or RAM potentially.

I would suggest for us to have the option to limit these operations to just presets from the configuration, that way we wouldn't be forced to expose such a resource consuming feature publicly
@hsensh hsensh added the type: bug 🐛 Something isn't working label Sep 2, 2024
@michaelbromley michaelbromley added type: security 🔐 P2: important Critical issue which does not affect majority of users labels Sep 2, 2024
@michaelbromley michaelbromley moved this to 📅 Planned in Vendure OS Roadmap Sep 2, 2024
@dlhck dlhck added type: feature ✨ and removed type: bug 🐛 Something isn't working labels Sep 24, 2024
@dlhck dlhck moved this from 📅 Planned to 📦 Backlog in Vendure OS Roadmap Sep 24, 2024
@dlhck
Copy link
Collaborator

dlhck commented Sep 24, 2024

There is something called Signed URLs that basically mitigate that risk.

A signed URL is a URL that provides limited permission and time to make a request.

@dlhck dlhck added this to the v3.1 milestone Sep 24, 2024
@michaelbromley michaelbromley moved this from 📅 Planned to ♻️ In progress in Vendure OS Roadmap Nov 27, 2024
michaelbromley added a commit that referenced this issue Nov 27, 2024
@michaelbromley
feat(asset-server-plugin): Implement ImageTransformStrategy
9ca7c9c 
Relates to #3040. This new strategy allows you to control the
parameters that get used to transform the image. We also expose a new PresetOnlyStrategy that
limits transforms to just the presets.
michaelbromley added a commit that referenced this issue Nov 27, 2024
@michaelbromley
test(asset-server-plugin): Add e2e test for ImageTransformStrategy
0572ac5 
Relates to #3040
michaelbromley added a commit that referenced this issue Nov 27, 2024
@michaelbromley
docs(asset-server-plugin): Add docs for ImageTransformStrategy
28e5e50 
Relates to #3040
@michaelbromley michaelbromley mentioned this issue Nov 27, 2024
Merged
michaelbromley added a commit that referenced this issue Nov 27, 2024
@michaelbromley
feat(asset-server-plugin): Implement ImageTransformStrategy for impro…
dde738d 
…ved control over image transformations (#3240)

Closes #3040
@michaelbromley michaelbromley moved this from ♻️ In progress to 💯 Ready in Vendure OS Roadmap Nov 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@benjaminraffetseder benjaminraffetseder

Labels
P2: important Critical issue which does not affect majority of users type: feature ✨ type: security 🔐
Projects
Vendure OS Roadmap
Status: 💯 Ready
Milestone
v3.1.0
Development

No branches or pull requests
4 participants
@michaelbromley @benjaminraffetseder @hsensh @dlhck