Merge pull request #265 from SixLabors/js/fix-hmac-cache-token

JimBobSquarePants · web-flow · commit b86ae56bf0e5 · 2022-05-18T22:45:54.000+10:00
Use full URl as HMAC cache key
diff --git a/src/ImageSharp.Web/Middleware/ImageSharpMiddleware.cs b/src/ImageSharp.Web/Middleware/ImageSharpMiddleware.cs
@@ -246,7 +246,7 @@ private async Task Invoke(HttpContext httpContext, bool retry)
 
             ImageCommandContext imageCommandContext = new(httpContext, commands, this.commandParser, this.parserCulture);
 
-            // At this point we know that this is an image request so should attempt to compute a validating HMAC..
+            // At this point we know that this is an image request so should attempt to compute a validating HMAC.
             string hmac = null;
             if (checkHMAC && token != null)
             {
@@ -256,7 +256,8 @@ private async Task Invoke(HttpContext httpContext, bool retry)
                 // the token will not match our validating HMAC, however, this would be indicative of an attack and should be treated as such.
                 //
                 // As a rule all image requests should contain valid commands only.
-                hmac = await HMACTokenLru.GetOrAddAsync(token, _ => this.options.OnComputeHMACAsync(imageCommandContext, secret));
+                // Key generation uses string.Create under the hood with very low allocation so should be good enough as a cache key.
+                hmac = await HMACTokenLru.GetOrAddAsync(httpContext.Request.GetEncodedUrl(), _ => this.options.OnComputeHMACAsync(imageCommandContext, secret));
             }
 
             await this.options.OnParseCommandsAsync.Invoke(imageCommandContext);
