fix: sanitize meta data before handling image sizes

tijmenbruggeman · rkoopmans · commit 3df4bd53f9c9 · 2025-11-20T09:21:08.000+01:00
diff --git a/src/class-tiny-image.php b/src/class-tiny-image.php
@@ -49,10 +49,8 @@ private function parse_wp_metadata() {
 		if ( ! is_array( $this->wp_metadata ) ) {
 			$this->wp_metadata = wp_get_attachment_metadata( $this->id );
 		}
-		if ( ! is_array( $this->wp_metadata ) ) {
-			return;
-		}
-		if ( ! isset( $this->wp_metadata['file'] ) ) {
+
+		if ( ! is_array( $this->wp_metadata ) || ! isset( $this->wp_metadata['file'] ) ) {
 			/* No file metadata found, this might be another plugin messing with
 			   metadata. Simply ignore this! */
 			return;
@@ -72,11 +70,25 @@ private function parse_wp_metadata() {
 		$filename = $path_prefix . $this->name;
 		$this->sizes[ self::ORIGINAL ] = new Tiny_Image_Size( $filename );
 
-		if ( isset( $this->wp_metadata['sizes'] ) && is_array( $this->wp_metadata['sizes'] ) ) {
-			foreach ( $this->wp_metadata['sizes'] as $size_name => $info ) {
-				$this->sizes[ $size_name ] = new Tiny_Image_Size( $path_prefix . $info['file'] );
+		// Ensure 'sizes' exists and is an array to prevent PHP Warnings
+		$sizes = isset( $this->wp_metadata['sizes'] ) && is_array( $this->wp_metadata['sizes'] )
+		? $this->wp_metadata['sizes']
+		: array();
+
+		$sanitized_sizes = array();
+		foreach ( $sizes as $size_name => $size_info ) {
+			// size is valid when its an array and has a file
+			if ( is_array( $size_info ) && isset( $size_info['file'] ) ) {
+				// Add to sanitized metadata
+				$sanitized_sizes[ $size_name ] = $size_info;
+				$this->sizes[ $size_name ] = new Tiny_Image_Size(
+					$path_prefix . $size_info['file']
+				);
 			}
 		}
+
+		// Update the metadata with only the valid sizes found
+		$this->wp_metadata['sizes'] = $sanitized_sizes;
 	}
 
 	private function detect_duplicates( $active_sizes, $active_tinify_sizes ) {
diff --git a/test/unit/TinyImageTest.php b/test/unit/TinyImageTest.php
@@ -44,6 +44,52 @@ public function test_update_wp_metadata_should_update_with_resized_original() {
 		$this->assertEquals( 100, $tiny_image_metadata['height'] );
 		$this->assertEquals( 100, $tiny_image_metadata['filesize'] );
 	}
+	
+	public function test_parse_wp_metadata_should_ignore_invalid_sizes() {
+		$invalid_metadata = array(
+			'width' => 1256,
+			'height' => 1256,
+			'file' => '2015/09/tinypng_gravatar.png',
+			'sizes' => array(
+				'valid' => array(
+					'file' => 'tinypng_gravatar-200x200.png',
+					'width' => 200,
+					'height' => 200,
+					'mime-type' => 'image/png',
+				),
+				'missing-file' => array(
+					'width' => 50,
+					'height' => 50,
+					'mime-type' => 'image/png',
+				),
+				'scalar-size' => 'tinypng_gravatar-300x300.png',
+				'null-size' => null,
+				'valid-second' => array(
+					'file' => 'tinypng_gravatar-400x400.png',
+					'mime-type' => 'image/png',
+				),
+			),
+			'image_meta' => array(),
+		);
+
+		$tiny_image = new Tiny_Image( $this->settings, 999, $invalid_metadata );
+
+		$this->assertEquals(
+			array(
+				'valid' => array(
+					'file' => 'tinypng_gravatar-200x200.png',
+					'width' => 200,
+					'height' => 200,
+					'mime-type' => 'image/png',
+				),
+				'valid-second' => array(
+					'file' => 'tinypng_gravatar-400x400.png',
+					'mime-type' => 'image/png',
+				),
+			),
+			$tiny_image->get_wp_metadata()['sizes']
+		);
+	}
 
 	public function test_get_images_should_return_all_images() {
 		$this->assertEquals( array(
