From a245dd30a9eff235c7c33f8b6066f81f9fdb56fd Mon Sep 17 00:00:00 2001 From: Gerardo Melendrez Date: Mon, 3 Sep 2018 15:38:17 -0700 Subject: [PATCH] Issue #1. Verify the file as a valid image to avoid malicious files being downloaded. --- .../AppVNext.Notifier.ConsoleUwp.csproj | 1 + src/AppVNext.Notifier.ConsoleUwp/Notifier.cs | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/src/AppVNext.Notifier.ConsoleUwp/AppVNext.Notifier.ConsoleUwp.csproj b/src/AppVNext.Notifier.ConsoleUwp/AppVNext.Notifier.ConsoleUwp.csproj index 1407db0..98c748e 100644 --- a/src/AppVNext.Notifier.ConsoleUwp/AppVNext.Notifier.ConsoleUwp.csproj +++ b/src/AppVNext.Notifier.ConsoleUwp/AppVNext.Notifier.ConsoleUwp.csproj @@ -46,6 +46,7 @@ + diff --git a/src/AppVNext.Notifier.ConsoleUwp/Notifier.cs b/src/AppVNext.Notifier.ConsoleUwp/Notifier.cs index fe555e7..a165017 100644 --- a/src/AppVNext.Notifier.ConsoleUwp/Notifier.cs +++ b/src/AppVNext.Notifier.ConsoleUwp/Notifier.cs @@ -12,6 +12,7 @@ using System.IO; using System.Net.Http; using System.Net; +using System.Drawing; namespace AppVNext.Notifier { @@ -228,6 +229,7 @@ private static string DownloadImage(string imageUrl) if (File.Exists(imagePath)) { + ValidateImage(ref imagePath); return imagePath; } @@ -235,6 +237,7 @@ private static string DownloadImage(string imageUrl) var webClient = new WebClient(); webClient.DownloadFile(imageUri, imagePath); + ValidateImage(ref imagePath); return imagePath; } catch @@ -243,5 +246,20 @@ private static string DownloadImage(string imageUrl) return string.Empty; } } + + private static void ValidateImage(ref string imagePath) + { + try + { + using (var image = Image.FromFile(imagePath)) + { } + } + catch (OutOfMemoryException) + { + // If the file is not an image or GDI+ does not support the pixel format of the file + // a OutOfMemoryException will be thrown and the file will be ignored. + imagePath = string.Empty; + } + } } } \ No newline at end of file