Ensure invalid path extensions are skipped. Fix #233

Author: JimBobSquarePants

samples/ImageSharp.Web.Sample/Pages/Index.cshtml

@@ -52,10 +52,10 @@
         </div>
         <div>
             <p>
-                <code>sixlabors.imagesharp.web.svg?width=300</code>
+                <code>sixlabors.imagesharp.web.svg?width=300&format=jpg</code>
             </p>
             <p>
-                <img src="sixlabors.imagesharp.web.svg" imagesharp-width="300" />
+            <img src="sixlabors.imagesharp.web.svg" imagesharp-width="300" imagesharp-format="Format.Jpg" />
             </p>
         </div>
     </section>

src/ImageSharp.Web/FormatUtilities.cs

@@ -53,12 +53,19 @@ public FormatUtilities(IOptions<ImageSharpMiddlewareOptions> options)
     [MethodImpl(MethodImplOptions.AggressiveInlining)]
     public bool TryGetExtensionFromUri(string uri, [NotNullWhen(true)] out string? extension)
     {
+        // Attempts to extract a valid image file extension from the URI.
+        // If the path contains a recognized extension, it is used.
+        // If the path lacks an extension and a query string is present,
+        // the method checks for a valid 'format' parameter as a fallback.
+        // Returns true if a supported extension is found in either location.
         extension = null;
         int query = uri.IndexOf('?');
         ReadOnlySpan<char> path;
 
         if (query > -1)
         {
+            path = uri.AsSpan(0, query);
+
             if (uri.Contains(FormatWebProcessor.Format, StringComparison.OrdinalIgnoreCase)
                 && QueryHelpers.ParseQuery(uri[query..]).TryGetValue(FormatWebProcessor.Format, out StringValues ext))
             {
@@ -68,15 +75,13 @@ public bool TryGetExtensionFromUri(string uri, [NotNullWhen(true)] out string? e
                 {
                     if (extSpan.Equals(e, StringComparison.OrdinalIgnoreCase))
                     {
+                        // We've found a valid extension in the query.
+                        // Now we need to check the path to see if there is a file extension and validate that.
                         extension = e;
-                        return true;
+                        break;
                     }
                 }
-
-                return false;
             }
-
-            path = uri.AsSpan(0, query);
         }
         else
         {
@@ -96,9 +101,11 @@ public bool TryGetExtensionFromUri(string uri, [NotNullWhen(true)] out string? e
                     return true;
                 }
             }
+
+            return false;
         }
 
-        return false;
+        return extension != null;
     }
 
     /// <summary>

tests/ImageSharp.Web.Tests/Helpers/FormatUtilitiesTests.cs

@@ -51,4 +51,11 @@ public void GetExtensionShouldRejectInvalidQueryStringFormatParameter()
         const string uri = "http://www.example.org/some/path/to/image.bmp?width=300&format=invalid";
         Assert.False(FormatUtilities.TryGetExtensionFromUri(uri, out _));
     }
+
+    [Fact]
+    public void GetExtensionShouldRejectInvalidPathWithValidQueryStringFormatParameter()
+    {
+        const string uri = "http://www.example.org/some/path/to/image.svg?width=300&format=jpg";
+        Assert.False(FormatUtilities.TryGetExtensionFromUri(uri, out _));
+    }
 }