Merge pull request #197 from SixLabors/js/fix-195

JimBobSquarePants · web-flow · commit 12780011d24f · 2022-01-05T14:14:53.000+11:00
Ensure invalid format commands don't get processed.
diff --git a/src/ImageSharp.Web/FormatUtilities.cs b/src/ImageSharp.Web/FormatUtilities.cs
@@ -51,14 +51,26 @@ public FormatUtilities(IOptions<ImageSharpMiddlewareOptions> options)
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         public string GetExtensionFromUri(string uri)
         {
+            // TODO: This method should follow TryGet pattern. Fix for V2.
             int query = uri.IndexOf('?');
             ReadOnlySpan<char> path;
 
             if (query > -1)
             {
-                if (uri.Contains(FormatWebProcessor.Format, StringComparison.OrdinalIgnoreCase) && QueryHelpers.ParseQuery(uri.Substring(query)).TryGetValue(FormatWebProcessor.Format, out StringValues ext))
+                if (uri.Contains(FormatWebProcessor.Format, StringComparison.OrdinalIgnoreCase)
+                    && QueryHelpers.ParseQuery(uri.Substring(query)).TryGetValue(FormatWebProcessor.Format, out StringValues ext))
                 {
-                    return ext;
+                    // We have a query but is it a valid one?
+                    ReadOnlySpan<char> extSpan = ext[0].AsSpan();
+                    foreach (string extension in this.extensions)
+                    {
+                        if (extSpan.Equals(extension, StringComparison.OrdinalIgnoreCase))
+                        {
+                            return extension;
+                        }
+                    }
+
+                    return null;
                 }
 
                 path = uri.AsSpan(0, query);
diff --git a/src/ImageSharp.Web/Middleware/ImageSharpMiddleware.cs b/src/ImageSharp.Web/Middleware/ImageSharpMiddleware.cs
@@ -2,7 +2,6 @@
 // Licensed under the Apache License, Version 2.0.
 
 using System;
-using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Globalization;
diff --git a/src/ImageSharp.Web/Processors/FormatWebProcessor.cs b/src/ImageSharp.Web/Processors/FormatWebProcessor.cs
@@ -37,9 +37,7 @@ private static readonly IEnumerable<string> FormatCommands
         /// </summary>
         /// <param name="options">The middleware configuration options.</param>
         public FormatWebProcessor(IOptions<ImageSharpMiddlewareOptions> options)
-        {
-            this.options = options.Value;
-        }
+            => this.options = options.Value;
 
         /// <inheritdoc/>
         public IEnumerable<string> Commands { get; } = FormatCommands;
diff --git a/tests/ImageSharp.Web.Tests/Helpers/FormatUtilitiesTests.cs b/tests/ImageSharp.Web.Tests/Helpers/FormatUtilitiesTests.cs
@@ -14,7 +14,7 @@ public class FormatUtilitiesTests
         public static IEnumerable<object[]> DefaultExtensions =
             Configuration.Default.ImageFormats.SelectMany(f => f.FileExtensions.Select(e => new object[] { e, e }));
 
-        private static readonly FormatUtilities FormatUtilities = new FormatUtilities(Options.Create(new ImageSharpMiddlewareOptions()));
+        private static readonly FormatUtilities FormatUtilities = new(Options.Create(new ImageSharpMiddlewareOptions()));
 
         [Theory]
         [MemberData(nameof(DefaultExtensions))]
@@ -27,22 +27,29 @@ public void GetExtensionShouldMatchDefaultExtensions(string expected, string ext
         [Fact]
         public void GetExtensionShouldNotMatchExtensionWithoutDotPrefix()
         {
-            const string Uri = "http://www.example.org/some/path/to/bmpimage";
-            Assert.Null(FormatUtilities.GetExtensionFromUri(Uri));
+            const string uri = "http://www.example.org/some/path/to/bmpimage";
+            Assert.Null(FormatUtilities.GetExtensionFromUri(uri));
         }
 
         [Fact]
         public void GetExtensionShouldIgnoreQueryStringWithoutFormatParamter()
         {
-            const string Uri = "http://www.example.org/some/path/to/image.bmp?width=300&foo=.png";
-            Assert.Equal("bmp", FormatUtilities.GetExtensionFromUri(Uri));
+            const string uri = "http://www.example.org/some/path/to/image.bmp?width=300&foo=.png";
+            Assert.Equal("bmp", FormatUtilities.GetExtensionFromUri(uri));
         }
 
         [Fact]
         public void GetExtensionShouldAcknowledgeQueryStringFormatParameter()
         {
-            const string Uri = "http://www.example.org/some/path/to/image.bmp?width=300&format=png";
-            Assert.Equal("png", FormatUtilities.GetExtensionFromUri(Uri));
+            const string uri = "http://www.example.org/some/path/to/image.bmp?width=300&format=png";
+            Assert.Equal("png", FormatUtilities.GetExtensionFromUri(uri));
+        }
+
+        [Fact]
+        public void GetExtensionShouldRejectInvalidQueryStringFormatParameter()
+        {
+            const string uri = "http://www.example.org/some/path/to/image.bmp?width=300&format=invalid";
+            Assert.Null(FormatUtilities.GetExtensionFromUri(uri));
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ public class FormatUtilitiesTests`
`14`	`14`	`public static IEnumerable<object[]> DefaultExtensions =`
`15`	`15`	`Configuration.Default.ImageFormats.SelectMany(f => f.FileExtensions.Select(e => new object[] { e, e }));`
`16`	`16`
`17`		`- private static readonly FormatUtilities FormatUtilities = new FormatUtilities(Options.Create(new ImageSharpMiddlewareOptions()));`
	`17`	`+ private static readonly FormatUtilities FormatUtilities = new(Options.Create(new ImageSharpMiddlewareOptions()));`
`18`	`18`
`19`	`19`	`[Theory]`
`20`	`20`	`[MemberData(nameof(DefaultExtensions))]`
`@@ -27,22 +27,29 @@ public void GetExtensionShouldMatchDefaultExtensions(string expected, string ext`
`27`	`27`	`[Fact]`
`28`	`28`	`public void GetExtensionShouldNotMatchExtensionWithoutDotPrefix()`
`29`	`29`	`{`
`30`		`- const string Uri = "http://www.example.org/some/path/to/bmpimage";`
`31`		`- Assert.Null(FormatUtilities.GetExtensionFromUri(Uri));`
	`30`	`+ const string uri = "http://www.example.org/some/path/to/bmpimage";`
	`31`	`+ Assert.Null(FormatUtilities.GetExtensionFromUri(uri));`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`[Fact]`
`35`	`35`	`public void GetExtensionShouldIgnoreQueryStringWithoutFormatParamter()`
`36`	`36`	`{`
`37`		`- const string Uri = "http://www.example.org/some/path/to/image.bmp?width=300&foo=.png";`
`38`		`- Assert.Equal("bmp", FormatUtilities.GetExtensionFromUri(Uri));`
	`37`	`+ const string uri = "http://www.example.org/some/path/to/image.bmp?width=300&foo=.png";`
	`38`	`+ Assert.Equal("bmp", FormatUtilities.GetExtensionFromUri(uri));`
`39`	`39`	`}`
`40`	`40`
`41`	`41`	`[Fact]`
`42`	`42`	`public void GetExtensionShouldAcknowledgeQueryStringFormatParameter()`
`43`	`43`	`{`
`44`		`- const string Uri = "http://www.example.org/some/path/to/image.bmp?width=300&format=png";`
`45`		`- Assert.Equal("png", FormatUtilities.GetExtensionFromUri(Uri));`
	`44`	`+ const string uri = "http://www.example.org/some/path/to/image.bmp?width=300&format=png";`
	`45`	`+ Assert.Equal("png", FormatUtilities.GetExtensionFromUri(uri));`
	`46`	`+ }`
	`47`	`+`
	`48`	`+ [Fact]`
	`49`	`+ public void GetExtensionShouldRejectInvalidQueryStringFormatParameter()`
	`50`	`+ {`
	`51`	`+ const string uri = "http://www.example.org/some/path/to/image.bmp?width=300&format=invalid";`
	`52`	`+ Assert.Null(FormatUtilities.GetExtensionFromUri(uri));`
`46`	`53`	`}`
`47`	`54`	`}`
`48`	`55`	`}`