Merge pull request #390 from SixLabors/js/fix-233

JimBobSquarePants · web-flow · commit 21efd0c4159a · 2025-07-31T11:31:26.000+10:00
Ensure invalid path extensions are skipped when validating input URLs
diff --git a/samples/ImageSharp.Web.Sample/Pages/Index.cshtml b/samples/ImageSharp.Web.Sample/Pages/Index.cshtml
@@ -52,10 +52,10 @@
         </div>
         <div>
             <p>
-                <code>sixlabors.imagesharp.web.svg?width=300</code>
+                <code>sixlabors.imagesharp.web.svg?width=300&format=jpg</code>
             </p>
             <p>
-                <img src="sixlabors.imagesharp.web.svg" imagesharp-width="300" />
+            <img src="sixlabors.imagesharp.web.svg" imagesharp-width="300" imagesharp-format="Format.Jpg" />
             </p>
         </div>
     </section>
diff --git a/src/ImageSharp.Web/FormatUtilities.cs b/src/ImageSharp.Web/FormatUtilities.cs
@@ -53,12 +53,19 @@ public FormatUtilities(IOptions<ImageSharpMiddlewareOptions> options)
     [MethodImpl(MethodImplOptions.AggressiveInlining)]
     public bool TryGetExtensionFromUri(string uri, [NotNullWhen(true)] out string? extension)
     {
+        // Attempts to extract a valid image file extension from the URI.
+        // If the path contains a recognized extension, it is used.
+        // If the path lacks an extension and a query string is present,
+        // the method checks for a valid 'format' parameter as a fallback.
+        // Returns true if a supported extension is found in either location.
         extension = null;
         int query = uri.IndexOf('?');
         ReadOnlySpan<char> path;
 
         if (query > -1)
         {
+            path = uri.AsSpan(0, query);
+
             if (uri.Contains(FormatWebProcessor.Format, StringComparison.OrdinalIgnoreCase)
                 && QueryHelpers.ParseQuery(uri[query..]).TryGetValue(FormatWebProcessor.Format, out StringValues ext))
             {
@@ -68,15 +75,13 @@ public bool TryGetExtensionFromUri(string uri, [NotNullWhen(true)] out string? e
                 {
                     if (extSpan.Equals(e, StringComparison.OrdinalIgnoreCase))
                     {
+                        // We've found a valid extension in the query.
+                        // Now we need to check the path to see if there is a file extension and validate that.
                         extension = e;
-                        return true;
+                        break;
                     }
                 }
-
-                return false;
             }
-
-            path = uri.AsSpan(0, query);
         }
         else
         {
@@ -92,13 +97,17 @@ public bool TryGetExtensionFromUri(string uri, [NotNullWhen(true)] out string? e
             {
                 if (pathExtension.Equals(e, StringComparison.OrdinalIgnoreCase))
                 {
-                    extension = e;
+                    // We've found a valid extension in the path, however we do not
+                    // want to overwrite an existing extension.
+                    extension ??= e;
                     return true;
                 }
             }
+
+            return false;
         }
 
-        return false;
+        return extension != null;
     }
 
     /// <summary>
diff --git a/src/ImageSharp.Web/ImageSharp.Web.csproj b/src/ImageSharp.Web/ImageSharp.Web.csproj
@@ -46,7 +46,7 @@
   <ItemGroup>
     <FrameworkReference Include="Microsoft.AspNetCore.App" />
     <PackageReference Include="Microsoft.IO.RecyclableMemoryStream" Version="3.0.1" />
-    <PackageReference Include="SixLabors.ImageSharp" Version="3.1.8" />
+    <PackageReference Include="SixLabors.ImageSharp" Version="3.1.11" />
   </ItemGroup>
 
   <Import Project="..\..\shared-infrastructure\src\SharedInfrastructure\SharedInfrastructure.projitems" Label="Shared" />
diff --git a/tests/ImageSharp.Web.Tests/Helpers/FormatUtilitiesTests.cs b/tests/ImageSharp.Web.Tests/Helpers/FormatUtilitiesTests.cs
@@ -46,9 +46,16 @@ public void GetExtensionShouldAcknowledgeQueryStringFormatParameter()
     }
 
     [Fact]
-    public void GetExtensionShouldRejectInvalidQueryStringFormatParameter()
+    public void GetExtensionShouldAllowInvalidQueryStringFormatParameterWithValidExtension()
     {
         const string uri = "http://www.example.org/some/path/to/image.bmp?width=300&format=invalid";
+        Assert.True(FormatUtilities.TryGetExtensionFromUri(uri, out _));
+    }
+
+    [Fact]
+    public void GetExtensionShouldRejectInvalidPathWithValidQueryStringFormatParameter()
+    {
+        const string uri = "http://www.example.org/some/path/to/image.svg?width=300&format=jpg";
         Assert.False(FormatUtilities.TryGetExtensionFromUri(uri, out _));
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -53,12 +53,19 @@ public FormatUtilities(IOptions<ImageSharpMiddlewareOptions> options)`
`53`	`53`	`[MethodImpl(MethodImplOptions.AggressiveInlining)]`
`54`	`54`	`public bool TryGetExtensionFromUri(string uri, [NotNullWhen(true)] out string? extension)`
`55`	`55`	`{`
	`56`	`+ // Attempts to extract a valid image file extension from the URI.`
	`57`	`+ // If the path contains a recognized extension, it is used.`
	`58`	`+ // If the path lacks an extension and a query string is present,`
	`59`	`+ // the method checks for a valid 'format' parameter as a fallback.`
	`60`	`+ // Returns true if a supported extension is found in either location.`
`56`	`61`	`extension = null;`
`57`	`62`	`int query = uri.IndexOf('?');`
`58`	`63`	`ReadOnlySpan<char> path;`
`59`	`64`
`60`	`65`	`if (query > -1)`
`61`	`66`	`{`
	`67`	`+ path = uri.AsSpan(0, query);`
	`68`	`+`
`62`	`69`	`if (uri.Contains(FormatWebProcessor.Format, StringComparison.OrdinalIgnoreCase)`
`63`	`70`	`&& QueryHelpers.ParseQuery(uri[query..]).TryGetValue(FormatWebProcessor.Format, out StringValues ext))`
`64`	`71`	`{`
`@@ -68,15 +75,13 @@ public bool TryGetExtensionFromUri(string uri, [NotNullWhen(true)] out string? e`
`68`	`75`	`{`
`69`	`76`	`if (extSpan.Equals(e, StringComparison.OrdinalIgnoreCase))`
`70`	`77`	`{`
	`78`	`+ // We've found a valid extension in the query.`
	`79`	`+ // Now we need to check the path to see if there is a file extension and validate that.`
`71`	`80`	`extension = e;`
`72`		`- return true;`
	`81`	`+ break;`
`73`	`82`	`}`
`74`	`83`	`}`
`75`		`-`
`76`		`- return false;`
`77`	`84`	`}`
`78`		`-`
`79`		`- path = uri.AsSpan(0, query);`
`80`	`85`	`}`
`81`	`86`	`else`
`82`	`87`	`{`
`@@ -92,13 +97,17 @@ public bool TryGetExtensionFromUri(string uri, [NotNullWhen(true)] out string? e`
`92`	`97`	`{`
`93`	`98`	`if (pathExtension.Equals(e, StringComparison.OrdinalIgnoreCase))`
`94`	`99`	`{`
`95`		`- extension = e;`
	`100`	`+ // We've found a valid extension in the path, however we do not`
	`101`	`+ // want to overwrite an existing extension.`
	`102`	`+ extension ??= e;`
`96`	`103`	`return true;`
`97`	`104`	`}`
`98`	`105`	`}`
	`106`	`+`
	`107`	`+ return false;`
`99`	`108`	`}`
`100`	`109`
`101`		`- return false;`
	`110`	`+ return extension != null;`
`102`	`111`	`}`
`103`	`112`
`104`	`113`	`/// <summary>`
Original file line number	Diff line number	Diff line change
`@@ -46,9 +46,16 @@ public void GetExtensionShouldAcknowledgeQueryStringFormatParameter()`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`[Fact]`
`49`		`- public void GetExtensionShouldRejectInvalidQueryStringFormatParameter()`
	`49`	`+ public void GetExtensionShouldAllowInvalidQueryStringFormatParameterWithValidExtension()`
`50`	`50`	`{`
`51`	`51`	`const string uri = "http://www.example.org/some/path/to/image.bmp?width=300&format=invalid";`
	`52`	`+ Assert.True(FormatUtilities.TryGetExtensionFromUri(uri, out _));`
	`53`	`+ }`
	`54`	`+`
	`55`	`+ [Fact]`
	`56`	`+ public void GetExtensionShouldRejectInvalidPathWithValidQueryStringFormatParameter()`
	`57`	`+ {`
	`58`	`+ const string uri = "http://www.example.org/some/path/to/image.svg?width=300&format=jpg";`
`52`	`59`	`Assert.False(FormatUtilities.TryGetExtensionFromUri(uri, out _));`
`53`	`60`	`}`
`54`	`61`	`}`