SixLabors.ImageSharp.Drawing has potential vulnerability

Question

SixLabors.ImageSharp.Drawing has potential vulnerability

plade opened this issue 8 months ago · comments

Describe the bug
SixLabors.ImageSharp.Drawing version needs to be upgraded to 2.0.0 or later.
Previous versions use SixLabors.ImageSharp with a potential vulnerability that was fixed in PR SixLabors/ImageSharp#2524

Pratik Lade · Answer 1 · Sat Sep 30 2023 05:57:22 GMT+0800 (China Standard Time)

It looks like SixLabors.ImageSharp.Drawing is not netstandard anymore, so this will need a bit more work than just upgrading the package.

Daniel Palme · Answer 2 · Sat Sep 30 2023 15:10:29 GMT+0800 (China Standard Time)

I think that's a minor issue.

ReportGenerator uses ImageSharp to generate images/badges. It does not process arbitrary images from outside. So it's not possible to exploit the vulnerability in this context.

Pratik Lade · Answer 3 · Sat Sep 30 2023 21:54:56 GMT+0800 (China Standard Time)

Yes I believe it's quite a non-issue.

Would you mind if I tried to contribute and fix it as a small project for myself?

Daniel Palme · Answer 4 · Sat Sep 30 2023 21:58:18 GMT+0800 (China Standard Time)

Sure. Maybe there a way to replace ImageSharp completely, as it's only used for some simple rendering.

Daniel Palme · Answer 5 · Tue Oct 03 2023 00:57:17 GMT+0800 (China Standard Time)

I think I will remove ImageSharp completely.
It's only used for:

some PNG badges. They already have an SVG alternative.
A PNG chart. This can be also replaced by an SVG image.

Daniel Palme · Answer 6 · Wed Oct 04 2023 03:00:45 GMT+0800 (China Standard Time)

Made the necessary changes in ae8c4fc.

Report type PngChart is now replaced with SvgChart.
Badges in PNG format are no longer generated
Fallback PNG history charts (only visible in HTML report, if JavaScript is disabled) are also in SVG format (and look much better now)