Skip to content

Improve WebP detection #733

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 5, 2025
Merged

Improve WebP detection #733

merged 1 commit into from
Feb 5, 2025
+11 −7

Conversation

sugar700
Copy link
Contributor

@sugar700 sugar700 commented Feb 4, 2025
edited by sindresorhus
Loading

Previously WebP parser checked for a plain string in middle of a file, enabling possible vulnerabilities like uploading of JSON files when only images are meant to be uploaded.

Considering WebP files are stored within RIFF containers, it makes sense to check whether a WebP file is stored in such container.

WebP specification saying that WebP files start with RIFF: https://developers.google.com/speed/webp/docs/riff_container?hl=pl#webp_file_header

Fixes #731

@sindresorhus sindresorhus mentioned this pull request Feb 5, 2025
Closed
Borewit
Borewit approved these changes Feb 5, 2025
View reviewed changes
Copy link
Collaborator

@Borewit Borewit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Much better

@Borewit
Copy link
Collaborator

Borewit commented Feb 5, 2025
edited
Loading

Can we put this one on top of PR #732 as the sorting of the detection of RIFF is incorrect? Done

Please rebase @sugar700

@Borewit Borewit mentioned this pull request Feb 5, 2025
Merged
@sugar700
Make sure JSON files aren't recognized as WebP
bc63521 
Previously WebP parser checked for a plain string in middle of a file,
enabling possible vulnerabilities like uploading of JSON files when
only images are meant to be uploaded.

Considering WebP files are stored within RIFF containers, it makes sense
to check whether a WebP file is stored in such container.
@sugar700 sugar700 force-pushed the make-sure-json-files-arent-recognized-as-webp branch from d35ac84 to bc63521 Compare February 5, 2025 14:40
@sugar700
Copy link
Contributor Author

sugar700 commented Feb 5, 2025

Rebased.

@sindresorhus sindresorhus merged commit ef486f1 into sindresorhus:main Feb 5, 2025
3 checks passed
@sindresorhus sindresorhus changed the title Make sure JSON files aren't recognized as WebP Improve WebP detection Feb 5, 2025
@sindresorhus
Copy link
Owner

Thank you, @sugar700

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sindresorhus sindresorhus sindresorhus approved these changes

@Borewit Borewit Borewit approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Move WebP check to the RIFF checks to reduce potential false-positives
3 participants
@sugar700 @Borewit @sindresorhus