check that image bytes are actually an image

2025-04-05 13:08:17 -05:00 · 2018-03-02 16:07:29 -05:00 · 2018-03-02 16:07:29 -05:00 · 55cfc44776
commit 55cfc44776
parent f17023ecad
2 changed files with 16 additions and 1 deletions
--- a/src/Icons/Controllers/IconsController.cs
+++ b/src/Icons/Controllers/IconsController.cs
@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.Linq;
 using System.Net;
 using System.Net.Http;
@ -18,6 +19,15 @@ namespace Bit.Icons.Controllers
            AllowAutoRedirect = false,
            AutomaticDecompression = DecompressionMethods.GZip | DecompressionMethods.Deflate
        });
+        static readonly List<byte[]> _validImageData = new List<byte[]>
+        {
+            // png
+            new byte[] { 137, 80, 78, 71 },
+            // ico
+            new byte[] { 00, 00, 01, 00 },
+            // jpeg
+            new byte[] { 255, 216, 255 }
+        };
        private readonly IMemoryCache _memoryCache;
        private readonly IDomainMappingService _domainMappingService;
        private readonly IconsSettings _iconsSettings;
@ -60,6 +70,11 @@ namespace Bit.Icons.Controllers
                }

                var image = await response.Content.ReadAsByteArrayAsync();
+                if(!_validImageData.Any(d => d.SequenceEqual(image.Take(d.Length))))
+                {
+                    return new NotFoundResult();
+                }
+
                icon = new Icon
                {
                    Image = image,
--- a/src/Icons/appsettings.json
+++ b/src/Icons/appsettings.json
@ -13,7 +13,7 @@
    }
  },
  "iconsSettings": {
-    "bestIconBaseUrl": "https://icons.better-idea.org",
+    "bestIconBaseUrl": "https://besticon-demo.herokuapp.com",
    "cacheHours": 24,
    "cacheSizeLimit": null
  }