SixLabors.ImageSharp.Drawing has potential vulnerability
plade opened this issue · comments
Describe the bug
SixLabors.ImageSharp.Drawing version needs to be upgraded to 2.0.0 or later.
Previous versions use SixLabors.ImageSharp with a potential vulnerability that was fixed in PR SixLabors/ImageSharp#2524
It looks like SixLabors.ImageSharp.Drawing is not netstandard anymore, so this will need a bit more work than just upgrading the package.
I think that's a minor issue.
ReportGenerator uses ImageSharp to generate images/badges. It does not process arbitrary images from outside. So it's not possible to exploit the vulnerability in this context.
Yes I believe it's quite a non-issue.
Would you mind if I tried to contribute and fix it as a small project for myself?
Sure. Maybe there a way to replace ImageSharp completely, as it's only used for some simple rendering.
I think I will remove ImageSharp completely.
It's only used for:
- some PNG badges. They already have an SVG alternative.
- A PNG chart. This can be also replaced by an SVG image.
Made the necessary changes in ae8c4fc.
- Report type
PngChart
is now replaced withSvgChart
. - Badges in PNG format are no longer generated
- Fallback PNG history charts (only visible in HTML report, if JavaScript is disabled) are also in SVG format (and look much better now)