-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow restricted operator usage #45
Comments
This feature is quite critical. Through testing, we found that users can create approximately 500MB images by using "w50000 + enlarge." This directly leads to the website crashing (nuxt-img middleware). If possible, this should be prioritized as a high-priority issue. Alternatively, it would be preferable to prioritize enforcing the ability to enable or disable various modification parameters via environment variables, for example, enlarge: false, to prevent abuse. |
Through testing, it has been observed that Cloudinary's image enlargement is limited to approximately 8100px. By forcefully setting q_100, it is possible to obtain a 3.1 MB image. Apart from forcibly disabling enlarge, it might also be beneficial to enforce a maximum width and height, along with a relationship with quality settings, to prevent potential attacks on the server. Of course, the most fundamental solution should involve the implementation of access keys. |
Through api.nuxt.org, it is also possible to access extremely large files. Testing has shown that files exceeding 11000px seem to cause the server to become unresponsive. For example, a simple PNG image with dimensions of 11000px can result in a download size of 2.2MB. More complex images could potentially lead to a complete crash of the serverless service. If you have received this notification, please delete this post or modify its content to remove any potentially harmful material. Thank you. https://api.nuxtjs.org/api/ipx/enlarge,w_11000,f_png/gh/nuxt/modules/main/icons/pinia.svg |
Specifically on resizing (numeric) operators to avoid abusing server (related to #44)
The text was updated successfully, but these errors were encountered: