Issue #1. Verify the file as a valid image to avoid malicious files b…

…eing downloaded.
App-vNext · Sep 3, 2018 · a245dd3 · a245dd3
1 parent ab68738
commit a245dd3
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/src/AppVNext.Notifier.ConsoleUwp/AppVNext.Notifier.ConsoleUwp.csproj b/src/AppVNext.Notifier.ConsoleUwp/AppVNext.Notifier.ConsoleUwp.csproj
@@ -46,6 +46,7 @@
     <Reference Include="System" />
     <Reference Include="System.ComponentModel.Composition" />
     <Reference Include="System.Data" />
+    <Reference Include="System.Drawing" />
     <Reference Include="System.IO.Compression.FileSystem" />
     <Reference Include="System.Numerics" />
     <Reference Include="System.Xml" />

diff --git a/src/AppVNext.Notifier.ConsoleUwp/Notifier.cs b/src/AppVNext.Notifier.ConsoleUwp/Notifier.cs
@@ -12,6 +12,7 @@
 using System.IO;
 using System.Net.Http;
 using System.Net;
+using System.Drawing;
 
 namespace AppVNext.Notifier
 {
@@ -228,13 +229,15 @@ private static string DownloadImage(string imageUrl)
 
 				if (File.Exists(imagePath))
 				{
+					ValidateImage(ref imagePath);
 					return imagePath;
 				}
 
 				// Download image to cache.
 				var webClient = new WebClient();
 				webClient.DownloadFile(imageUri, imagePath);
 
+				ValidateImage(ref imagePath);
 				return imagePath;
 			}
 			catch
@@ -243,5 +246,20 @@ private static string DownloadImage(string imageUrl)
 				return string.Empty;
 			}
 		}
+
+		private static void ValidateImage(ref string imagePath)
+		{
+			try
+			{
+				using (var image = Image.FromFile(imagePath))
+				{ }
+			}
+			catch (OutOfMemoryException)
+			{
+				// If the file is not an image or GDI+ does not support the pixel format of the file
+				// a OutOfMemoryException will be thrown and the file will be ignored.
+				imagePath = string.Empty;
+			}
+		}
 	}
 }