lerouxb · May 19, 2012 12:53 · lerouxb · May 19, 2012 · lerouxb · May 19, 2012
diff --git a/checkimage.js b/checkimage.js
 /*
 Run this, connect to
 http://localhost:3000/check/image?url=http://dl.dropbox.com/u/1167202/IMAG0193.jpg

 That image is just under 2Mb. I tell the request to disconnect immediately (see
 the maxSize = 0 hack inside identifyImageURL()) and all the data keeps arriving
 bit by bit until the entire file is downloaded.

 (This is perhaps more obvious on my slow South African line, but you can see
 the byte totals coming in and it trying to call destroy again and again in the
 terminal output.)

 I could add a timeout, but then it would time out in stead of throwing an error
 immediately. I could pause the stream, but then it would likely also hang
 around until it times out.

 An obvious exploit (if I went live with this) would be to ask for information
 on a malicious URL that just keeps sending more and more stuff, but has an
 image content type.

 I could buffer the image in a temp file, but it would still download the entire
 image (or potentially forever) AND then it would just fill up the hard drive
 with arbitrary bytes. This isn't really a memory issue anyway as I stream the
 file to GraphicsMagick so I don't actually keep the chunks around. So that kind
 of answer isn't even relevant.
 */

 var
    express = require('express'),
    gm = require('gm'),
    request = require('request'),
    app = express.createServer();

 app.use(express.logger('tiny'));
 app.use(express.errorHandler({
    dumpExceptions: true,
    showStack: true
 }));

 function checkURL(options, callback) {
    // TODO: some kind of timeout would be nice
    var
        url = options.url,
        supportedTypes = options.supportedTypes,
        maxSize = options.maxSize;

    request.head(url, function(err, response, data) {
        if (err) {
            // Probably anything from a timeout to network error.
            console.error(err);
            callback({name: "ServerError"});

        } else if (response.statusCode != 200) {
            // Assume not found for now.
            // What about other success statuses?
            callback({name: "NotFound"});

        } else {
            var
                contentType = response.headers['content-type'],
                contentLength = response.headers['content-length'];

            if (supportedTypes.indexOf(contentType) == -1) {
                callback({name: "UnknownType"});

            } else if (!contentLength || contentLength < maxSize) {
                // looks OK so far
                callback(null, {
                    contentType: contentType,
                    contentLength: contentLength
                });

            } else {
                callback({name: "TooBig"});
            }
        }
    });
 };

 function identifyImageURL(options, callback) {
    // TODO:
    // * some kind of timeout would be nice
    // * and maybe a whitelist of supported image formats
    // * perhaps we should also make sure that only websafe features like
    //   colour profiles or modes are used
    var
        url = options.url,
        //maxSize = options.maxSize;
        maxSize = 0, // HACK
        req = request.get(url),
        total = 0,
        image = gm(req);

    image.identify(function(err, data) {
        if (err) {
            if (total > maxSize) {
                callback({name: "TooBig"});
            } else {
                callback({name: "ServerError"});
            }
        } else {
            if (total > maxSize) {
                callback({name: "TooBig"});
            } else {
                data.contentLength = total;
                callback(null, data);
            }
        }
    });

    // limit the image size
    req.on('data', function(data) {
        total += data.length;
        console.log(total, data.length);
        if (total > maxSize) {
            console.log("hanging up");
            req.pause(); // this does nothing too
            req.destroy(); // hang up
        }
    });
 };

 app.get('/check/image', function(req, res) {
    var
        url = req.query.url,
        maxSize = 5*1024*1024 // 5Mb

    checkURL({
        url: url,
        supportedTypes: ['image/png', 'image/jpeg', 'image/gif'],
        maxSize: maxSize
    },
    function(err, info) {
        //console.log("checkURL", err, data);
        if (err) {
            res.send({error: err.name});
        } else {
            identifyImageURL({
                url: url,
                maxSize: maxSize
            },
            function(err, features) {
                //console.log("identifyImageURL", err, features);
                if (err) {
                    res.send({error: err.name});
                } else {
                    data = {
                        contentType: info.contentType,
                        contentLength: features.contentLength,
                        format: features.format,
                        width: features.size.width,
                        height: features.size.height
                    };
                    res.send(data);
                }
            });
        }
    });
 });

 app.listen(3000);
	/*
	Run this, connect to
	http://localhost:3000/check/image?url=http://dl.dropbox.com/u/1167202/IMAG0193.jpg

	That image is just under 2Mb. I tell the request to disconnect immediately (see
	the maxSize = 0 hack inside identifyImageURL()) and all the data keeps arriving
	bit by bit until the entire file is downloaded.

	(This is perhaps more obvious on my slow South African line, but you can see
	the byte totals coming in and it trying to call destroy again and again in the
	terminal output.)

	I could add a timeout, but then it would time out in stead of throwing an error
	immediately. I could pause the stream, but then it would likely also hang
	around until it times out.

	An obvious exploit (if I went live with this) would be to ask for information
	on a malicious URL that just keeps sending more and more stuff, but has an
	image content type.

	I could buffer the image in a temp file, but it would still download the entire
	image (or potentially forever) AND then it would just fill up the hard drive
	with arbitrary bytes. This isn't really a memory issue anyway as I stream the
	file to GraphicsMagick so I don't actually keep the chunks around. So that kind
	of answer isn't even relevant.
	*/

	var
	express = require('express'),
	gm = require('gm'),
	request = require('request'),
	app = express.createServer();

	app.use(express.logger('tiny'));
	app.use(express.errorHandler({
	dumpExceptions: true,
	showStack: true
	}));

	function checkURL(options, callback) {
	// TODO: some kind of timeout would be nice
	var
	url = options.url,
	supportedTypes = options.supportedTypes,
	maxSize = options.maxSize;

	request.head(url, function(err, response, data) {
	if (err) {
	// Probably anything from a timeout to network error.
	console.error(err);
	callback({name: "ServerError"});

	} else if (response.statusCode != 200) {
	// Assume not found for now.
	// What about other success statuses?
	callback({name: "NotFound"});

	} else {
	var
	contentType = response.headers['content-type'],
	contentLength = response.headers['content-length'];

	if (supportedTypes.indexOf(contentType) == -1) {
	callback({name: "UnknownType"});

	} else if (!contentLength \|\| contentLength < maxSize) {
	// looks OK so far
	callback(null, {
	contentType: contentType,
	contentLength: contentLength
	});

	} else {
	callback({name: "TooBig"});
	}
	}
	});
	};

	function identifyImageURL(options, callback) {
	// TODO:
	// * some kind of timeout would be nice
	// * and maybe a whitelist of supported image formats
	// * perhaps we should also make sure that only websafe features like
	// colour profiles or modes are used
	var
	url = options.url,
	//maxSize = options.maxSize;
	maxSize = 0, // HACK
	req = request.get(url),
	total = 0,
	image = gm(req);

	image.identify(function(err, data) {
	if (err) {
	if (total > maxSize) {
	callback({name: "TooBig"});
	} else {
	callback({name: "ServerError"});
	}
	} else {
	if (total > maxSize) {
	callback({name: "TooBig"});
	} else {
	data.contentLength = total;
	callback(null, data);
	}
	}
	});

	// limit the image size
	req.on('data', function(data) {
	total += data.length;
	console.log(total, data.length);
	if (total > maxSize) {
	console.log("hanging up");
	req.pause(); // this does nothing too
	req.destroy(); // hang up
	}
	});
	};

	app.get('/check/image', function(req, res) {
	var
	url = req.query.url,
	maxSize = 510241024 // 5Mb

	checkURL({
	url: url,
	supportedTypes: ['image/png', 'image/jpeg', 'image/gif'],
	maxSize: maxSize
	},
	function(err, info) {
	//console.log("checkURL", err, data);
	if (err) {
	res.send({error: err.name});
	} else {
	identifyImageURL({
	url: url,
	maxSize: maxSize
	},
	function(err, features) {
	//console.log("identifyImageURL", err, features);
	if (err) {
	res.send({error: err.name});
	} else {
	data = {
	contentType: info.contentType,
	contentLength: features.contentLength,
	format: features.format,
	width: features.size.width,
	height: features.size.height
	};
	res.send(data);
	}
	});
	}
	});
	});

	app.listen(3000);
No results found