SixLabors.ImageSharp.Drawing has potential vulnerability

Question

SixLabors.ImageSharp.Drawing has potential vulnerability

plade opened this issue a year ago · 6 comments

Describe the bug
SixLabors.ImageSharp.Drawing version needs to be upgraded to 2.0.0 or later.
Previous versions use SixLabors.ImageSharp with a potential vulnerability that was fixed in PR SixLabors/ImageSharp#2524

Answer 1 · 2023-09-29T21:57:22.000Z

It looks like SixLabors.ImageSharp.Drawing is not netstandard anymore, so this will need a bit more work than just upgrading the package.

Answer 2 · 2023-09-30T07:10:29.000Z

I think that's a minor issue.

ReportGenerator uses ImageSharp to generate images/badges. It does not process arbitrary images from outside. So it's not possible to exploit the vulnerability in this context.

Answer 3 · 2023-09-30T13:54:56.000Z

Yes I believe it's quite a non-issue.

Would you mind if I tried to contribute and fix it as a small project for myself?

Answer 4 · 2023-09-30T13:58:18.000Z

Sure. Maybe there a way to replace ImageSharp completely, as it's only used for some simple rendering.

Answer 5 · 2023-10-02T16:57:17.000Z

I think I will remove ImageSharp completely.
It's only used for:

some PNG badges. They already have an SVG alternative.
A PNG chart. This can be also replaced by an SVG image.

Answer 6 · 2023-10-03T19:00:45.000Z

Made the necessary changes in ae8c4fc.

Report type PngChart is now replaced with SvgChart.
Badges in PNG format are no longer generated
Fallback PNG history charts (only visible in HTML report, if JavaScript is disabled) are also in SVG format (and look much better now)