EPiServer Blob provider for ImageResizer.Net

License: MIT License

C# 99.12% PowerShell 0.88%

imageresizer.plugins.episerverblobreader's Introduction

ImageResizer.Plugins.EPiServerBlobReader

Nothing much to describe here :) Just install NuGet package and it will register EPiServer Blob reader plugin for ImageResizer in order to serve and process images from EPiServer Media folders by ImageResizer.

Breaking Changes (starting from v6.0)

If you use fluent API to resize the image and pass in null, string.Empty or ContentReference.EmptyReference you will get ArgumentNullException exception.

Render Image in Markup

Most convenient way to render image in markup would be use HtmlHelper extension method:

@using ImageResizer.Plugins.EPiServer

<img src="@Html.ResizeImage(Model.CurrentPage.MainImage, 100, 100)" />

This will make sure that markup for visitors would be (assuming that image is png):

<img src="/.../image.png?w=100&h=100">

And also for the edit mode it would be generated something like this:

<img src="/.../image.png,,{CONTENT-ID}?epieditmode=False&w=100&h=100">

ResizeImage returns back UrlBuilder type, so you can fluently chain any additional paramters if needed:

<img src="@Html.ResizeImage(Model.CurrentPage.MainImage, 100, 150).Add("gradient", "true").Add("bgcolor", "red)" />

Render Image Markup (Fluent)

You can also use some basic fluent api support as well:

<img src="@Html.ResizeImage(CurrentPage.MainImage).Width(200)
                                                  .Height(200)
                                                  .Scale(ScaleMode.Both)
                                                  .FitMode(FitMode.Crop)" />

Render Image Markup with Fallback (Fluent)

If you need to fallback to other image in cases when given ContentReference is empty (and don't want to check for null or ContentReference.EmptyReference yourself) you can use resize image with fallback:

<img src="@Html.ResizeImageWithFallback(CurrentPage.MainImage, "/no-image.jpg").Width(200).Height(200).Scale(ScaleMode.Both).FitMode(FitMode.Crop)" />

Render Picture Element

This is pretty simple as well.

We need to define picture profile. Profile is metadata how to render <picture> element.

public static PictureProfile SampleImage =
    new PictureProfile
    {
        SrcSetWidths = new[] { 480, 768, 992, 1200 },
        SrcSetSizes = new[]
        {
            "50vw",
        },
       DefaultWidth = 992
    };

Here we can specify couple of properties to customize element:

Source set sizes (SrcSetSizes) - this regulates image size for various media conditions.
Source set widths (SrcSetWidths) - this regulates various image sizes (resized by width specified here). Used to generate srcset attribute.
Default width (DefaultWidth) - what is default width of the image. This is for old-school browsers those have no clue about <picture> element existence.

Call actual rendering method

@Html.ResizePicture(Model.CurrentPage.MainImage, PictureProfiles.SampleImage)

Code above generates following markup:

<picture>
    <source sizes="50vw"
            srcset="/globalassets/batman.jpg?w=480 480w,
                    /globalassets/batman.jpg?w=768 768w,
                    /globalassets/batman.jpg?w=992 992w,
                    /globalassets/batman.jpg?w=1200 1200w">
    <img alt="" src="/globalassets/batman.jpg?w=992">
</picture>

More info about how to render picture element - here.

Happy imaging!

imageresizer.plugins.episerverblobreader's People

Contributors

Stargazers

Watchers

Forkers

creunaab pettersorby solita yauhenibutsko shinkathe marisks chrno1209 electricsheep svenrog larswp henryknowit asrarh mamort jonasboman

imageresizer.plugins.episerverblobreader's Issues

nuget install does not set up all required config settings

Missing:

system.WebServer - modules - <add name="ImageResizingModule" type="ImageResizer.InterceptModule" />
system.web - httpModules - <add name="ImageResizingModule" type="ImageResizer.InterceptModule" />

Can't use custom template for images in edit mode

Hi,

I've noticed that custom templates won't get loaded on Episerver CMS (UI) version 9.6.2 when plugin is enabled. If I disable the plugin or uninstall it the custom templates are working just fine. Templates used to work with previous episerver (CMS 8) and plugin version (3.0.1).

For example following custom edit view for images does not work with Alloy demo if plugin is enabled.
I was just thinking if this could be related to issue #10?

CustomPreviewTemplateForAlloyDemo.zip

WS-2015-0017 (Medium) detected in uglify-js-2.3.6.tgz

WS-2015-0017 - Medium Severity Vulnerability

Vulnerable Library - uglify-js-2.3.6.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz

Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_5a4878f9-d8e5-497b-8c05-a9cd823886fc/20190625174537_68565/git_depth_0/ImageResizer.Plugins.EPiServerBlobReader/samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json

Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_5a4878f9-d8e5-497b-8c05-a9cd823886fc/20190625174537_68565/git_depth_0/ImageResizer.Plugins.EPiServerBlobReader/samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/uglify-js/package.json

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
  - handlebars-1.3.0.tgz
    - ❌ uglify-js-2.3.6.tgz (Vulnerable Library)

Found in HEAD commit: 09ada28d8042f6cae9285a7a8ef390381ae0d14e

Vulnerability Details

Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().

Publish Date: 2015-10-24

URL: WS-2015-0017

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/48

Release Date: 2015-10-24

Fix Resolution: Update to version 2.6.0 or later

Step up your Open Source Security Game with WhiteSource here

WS-2015-0024 (High) detected in uglify-js-2.3.6.tgz

WS-2015-0024 - High Severity Vulnerability

Vulnerable Library - uglify-js-2.3.6.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
  - handlebars-1.3.0.tgz
    - ❌ uglify-js-2.3.6.tgz (Vulnerable Library)

Found in HEAD commit: 09ada28d8042f6cae9285a7a8ef390381ae0d14e

Vulnerability Details

UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification.

Publish Date: 2015-08-24

URL: WS-2015-0024

CVSS 2 Score Details (8.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: mishoo/UglifyJS@905b601

Release Date: 2017-01-31

Fix Resolution: v2.4.24

Step up your Open Source Security Game with WhiteSource here

WS-2018-0168 (Medium) detected in dojo-1.9.4.tgz

WS-2018-0168 - Medium Severity Vulnerability

Vulnerable Library - dojo-1.9.4.tgz

Dojo core is a powerful, lightweight library that makes common tasks quicker and easier. Animate elements, manipulate the DOM, and query with easy CSS syntax, all without sacrificing performance.

Library home page: https://registry.npmjs.org/dojo/-/dojo-1.9.4.tgz

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- ❌ dojo-1.9.4.tgz (Vulnerable Library)

Found in HEAD commit: 09ada28d8042f6cae9285a7a8ef390381ae0d14e

Vulnerability Details

Fix potential XSS vulnerability. Since this is in a DOH test that isn't used anymore nor run automatically, the threat is minimal.

Publish Date: 2018-09-26

URL: WS-2018-0168

CVSS 2 Score Details (4.5)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: dojo/dojo@9117ffd

Release Date: 2018-08-10

Fix Resolution: Replace or update the following files: i18nExhaustive.js, unit.html, test-instructions.md

Step up your Open Source Security Game with WhiteSource here

CVE-2018-20834 (High) detected in tar-0.1.20.tgz

CVE-2018-20834 - High Severity Vulnerability

Vulnerable Library - tar-0.1.20.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz

Path to dependency file: /samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json

Path to vulnerable library: /samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/tar/package.json

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- digdug-1.4.0.tgz
  - decompress-0.2.3.tgz
    - ❌ tar-0.1.20.tgz (Vulnerable Library)

Found in HEAD commit: 6ed55fb118057ec0315ddc2aa4a36ed8577da41b

Found in base branch: master

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2019-04-30

Fix Resolution: 2.2.2,4.4.2

Step up your Open Source Security Game with Mend here

CVE-2018-16487 (High) detected in lodash-2.4.2.tgz

CVE-2018-16487 - High Severity Vulnerability

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- digdug-1.4.0.tgz
  - decompress-0.2.3.tgz
    - map-key-0.1.5.tgz
      - ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 09ada28d8042f6cae9285a7a8ef390381ae0d14e

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

Step up your Open Source Security Game with WhiteSource here

WS-2019-0333 (High) detected in handlebars-1.3.0.tgz - autoclosed

WS-2019-0333 - High Severity Vulnerability

Vulnerable Library - handlebars-1.3.0.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz

Path to dependency file: ImageResizer.Plugins.EPiServerBlobReader/samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json

Path to vulnerable library: ImageResizer.Plugins.EPiServerBlobReader/samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/handlebars/package.json

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
  - ❌ handlebars-1.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 6ed55fb118057ec0315ddc2aa4a36ed8577da41b

Found in base branch: master

Vulnerability Details

In handlebars, versions prior to v4.5.3 are vulnerable to prototype pollution. Using a malicious template it's possbile to add or modify properties to the Object prototype. This can also lead to DOS and RCE in certain conditions.

Publish Date: 2019-11-18

URL: WS-2019-0333

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1325

Release Date: 2019-11-18

Fix Resolution: handlebars - 4.5.3

Step up your Open Source Security Game with WhiteSource here

CVE-2019-8331 (Medium) detected in bootstrap-2.0.4.js

CVE-2019-8331 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-2.0.4.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js

Path to vulnerable library: /samples/SampleAlloy/Static/js/bootstrap.js

Dependency Hierarchy:

❌ bootstrap-2.0.4.js (Vulnerable Library)

Found in HEAD commit: 6ed55fb118057ec0315ddc2aa4a36ed8577da41b

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Step up your Open Source Security Game with Mend here

CVE-2018-20676 (Medium) detected in bootstrap-2.0.4.js

CVE-2018-20676 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-2.0.4.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js

Path to vulnerable library: /samples/SampleAlloy/Static/js/bootstrap.js

Dependency Hierarchy:

❌ bootstrap-2.0.4.js (Vulnerable Library)

Found in HEAD commit: 6ed55fb118057ec0315ddc2aa4a36ed8577da41b

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

Step up your Open Source Security Game with Mend here

CVE-2016-10540 (High) detected in minimatch-0.3.0.tgz, minimatch-0.4.0.tgz

CVE-2016-10540 - High Severity Vulnerability

Vulnerable Libraries - minimatch-0.3.0.tgz, minimatch-0.4.0.tgz

minimatch-0.3.0.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
  - fileset-0.1.8.tgz
    - glob-3.2.11.tgz
      - ❌ minimatch-0.3.0.tgz (Vulnerable Library)

minimatch-0.4.0.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.4.0.tgz

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
  - fileset-0.1.8.tgz
    - ❌ minimatch-0.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 09ada28d8042f6cae9285a7a8ef390381ae0d14e

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

Step up your Open Source Security Game with WhiteSource here

Images are broken for WebEditors

In EpiServer, when logged in as editor an uploaded image is broken in the following circumstances:

In Media - Select Image - Edit
Cannot drag/drop onto HTML editor
When selecting the image in TinyMCE
After selecting the image using Tiny MCE

WS-2019-0100 (Medium) detected in fstream-0.1.31.tgz

WS-2019-0100 - Medium Severity Vulnerability

Vulnerable Library - fstream-0.1.31.tgz

Advanced file system stream things

Library home page: https://registry.npmjs.org/fstream/-/fstream-0.1.31.tgz

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- digdug-1.4.0.tgz
  - decompress-0.2.3.tgz
    - tar-0.1.20.tgz
      - ❌ fstream-0.1.31.tgz (Vulnerable Library)

Found in HEAD commit: 09ada28d8042f6cae9285a7a8ef390381ae0d14e

Vulnerability Details

Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite.

Publish Date: 2019-05-23

URL: WS-2019-0100

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/886

Release Date: 2019-05-23

Fix Resolution: 1.0.12

Step up your Open Source Security Game with WhiteSource here

Version 2 requires .NET Framework 4.5.2

Are there any requirements in the module that prevents it from targeting 4.5? I know, kind of old, and EPiServer CMS 9 requires v4.5.2 according to the System Requirements.

However, it works with 4.5, and a lot of projects upgraded to CMS 9 have not been retargeted to 4.5.2. When they install the latest package, the assembly is not referenced. Since it is loaded by the ImageResizer plug-in system, it just fails silently when not found. The images just won't be resized anymore. Hard to troubleshoot (you'll see it in /resizer.debug if you know about it.)

CVE-2020-12265 (High) detected in decompress-0.2.3.tgz

CVE-2020-12265 - High Severity Vulnerability

Vulnerable Library - decompress-0.2.3.tgz

Easily extract zip, tar and tar.gz archives

Library home page: https://registry.npmjs.org/decompress/-/decompress-0.2.3.tgz

Path to dependency file: /samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json

Path to vulnerable library: /samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/decompress/package.json

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- digdug-1.4.0.tgz
  - ❌ decompress-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 6ed55fb118057ec0315ddc2aa4a36ed8577da41b

Found in base branch: master

Vulnerability Details

The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal.

Publish Date: 2020-04-26

URL: CVE-2020-12265

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12265

Release Date: 2020-04-26

Fix Resolution: 4.2.1

Step up your Open Source Security Game with Mend here

WS-2019-0064 (High) detected in handlebars-1.3.0.tgz

WS-2019-0064 - High Severity Vulnerability

Vulnerable Library - handlebars-1.3.0.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
  - ❌ handlebars-1.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 09ada28d8042f6cae9285a7a8ef390381ae0d14e

Vulnerability Details

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Publish Date: 2019-04-30

URL: WS-2019-0064

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/755/versions

Release Date: 2019-04-30

Fix Resolution: 1.0.6-2,4.0.14,4.1.2

Step up your Open Source Security Game with WhiteSource here

WS-2018-0590 (High) detected in diff-1.1.0.tgz

WS-2018-0590 - High Severity Vulnerability

Vulnerable Library - diff-1.1.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-1.1.0.tgz

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- ❌ diff-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 09ada28d8042f6cae9285a7a8ef390381ae0d14e

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2019-06-11

URL: WS-2018-0590

CVSS 2 Score Details (7.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: kpdecker/jsdiff@2aec429

Release Date: 2019-06-11

Fix Resolution: 3.5.0

Step up your Open Source Security Game with WhiteSource here

Images without extension

ImageResizer does not kickin on images without extensions (jpg,png,gif...) in its name.
The type used is ImageFile which is derived from ImageData.
Are there any solution to this without making sure extension always exist?

WS-2015-0003 (Medium) detected in handlebars-1.3.0.tgz

WS-2015-0003 - Medium Severity Vulnerability

Vulnerable Library - handlebars-1.3.0.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
  - ❌ handlebars-1.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 09ada28d8042f6cae9285a7a8ef390381ae0d14e

Vulnerability Details

Quoteless Attributes in Templates can lead to Content Injection

Publish Date: 2015-12-14

URL: WS-2015-0003

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/61

Release Date: 2015-12-14

Fix Resolution: If you are unable to upgrade to version 4.0.0 or greater you can add quotes to your attributes in your handlebar templates.

Step up your Open Source Security Game with WhiteSource here

Specify dependencies in nuspec

Please specify your dependencies in the nuspec file. That way it is easier to determine what version of episerver , imageresizer, etc. is supported, or required.

WS-2019-0047 (Medium) detected in tar-0.1.20.tgz

WS-2019-0047 - Medium Severity Vulnerability

Vulnerable Library - tar-0.1.20.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- digdug-1.4.0.tgz
  - decompress-0.2.3.tgz
    - ❌ tar-0.1.20.tgz (Vulnerable Library)

Found in HEAD commit: 09ada28d8042f6cae9285a7a8ef390381ae0d14e

Vulnerability Details

Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Publish Date: 2019-04-05

URL: WS-2019-0047

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/803

Release Date: 2019-04-05

Fix Resolution: 4.4.2

Step up your Open Source Security Game with WhiteSource here

CVE-2015-8858 (High) detected in uglify-js-2.3.6.tgz

CVE-2015-8858 - High Severity Vulnerability

Vulnerable Library - uglify-js-2.3.6.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
  - handlebars-1.3.0.tgz
    - ❌ uglify-js-2.3.6.tgz (Vulnerable Library)

Found in HEAD commit: 09ada28d8042f6cae9285a7a8ef390381ae0d14e

Vulnerability Details

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2015-8858

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2018-12-15

Fix Resolution: v2.6.0

Step up your Open Source Security Game with WhiteSource here

CVE-2014-4075 (Low) detected in microsoft.aspnet.mvc.4.0.20710.nupkg

CVE-2014-4075 - Low Severity Vulnerability

Vulnerable Library - microsoft.aspnet.mvc.4.0.20710.nupkg

This package contains the runtime assemblies for ASP.NET MVC. ASP.NET MVC gives you a powerful, patt...

Library home page: https://api.nuget.org/packages/microsoft.aspnet.mvc.4.0.20710.nupkg

Path to dependency file: /ImageResizer.Plugins.EPiServerBlobReader.csproj

Path to vulnerable library: /ImageResizer.Plugins.EPiServerBlobReader.csproj

Dependency Hierarchy:

❌ microsoft.aspnet.mvc.4.0.20710.nupkg (Vulnerable Library)

Found in HEAD commit: 6ed55fb118057ec0315ddc2aa4a36ed8577da41b

Found in base branch: master

Vulnerability Details

Cross-site scripting (XSS) vulnerability in System.Web.Mvc.dll in Microsoft ASP.NET Model View Controller (MVC) 2.0 through 5.1 allows remote attackers to inject arbitrary web script or HTML via a crafted web page, aka "MVC XSS Vulnerability."

Publish Date: 2014-10-15

URL: CVE-2014-4075

CVSS 3 Score Details (3.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-059#mvc-xss-vulnerability---cve-2014-4075

Release Date: 2014-10-15

Fix Resolution: Microsoft.AspNet.Mvc - 3.0.50813.1 ,4.0.40804.0 ,5.0.2, 5.1.3

Step up your Open Source Security Game with Mend here

CVE-2015-8857 (High) detected in uglify-js-2.3.6.tgz

CVE-2015-8857 - High Severity Vulnerability

Vulnerable Library - uglify-js-2.3.6.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
  - handlebars-1.3.0.tgz
    - ❌ uglify-js-2.3.6.tgz (Vulnerable Library)

Found in HEAD commit: 09ada28d8042f6cae9285a7a8ef390381ae0d14e

Vulnerability Details

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.

Publish Date: 2017-01-23

URL: CVE-2015-8857

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2018-12-15

Fix Resolution: v2.4.24

Step up your Open Source Security Game with WhiteSource here

WS-2019-0332 (High) detected in handlebars-1.3.0.tgz - autoclosed

WS-2019-0332 - High Severity Vulnerability

Vulnerable Library - handlebars-1.3.0.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz

Path to dependency file: ImageResizer.Plugins.EPiServerBlobReader/samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json

Path to vulnerable library: ImageResizer.Plugins.EPiServerBlobReader/samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/handlebars/package.json

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
  - ❌ handlebars-1.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 6ed55fb118057ec0315ddc2aa4a36ed8577da41b

Found in base branch: master

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.

Publish Date: 2019-11-17

URL: WS-2019-0332

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-11-17

Fix Resolution: handlebars - 4.5.3

Step up your Open Source Security Game with WhiteSource here

CVE-2019-19919 (High) detected in handlebars-1.3.0.tgz

CVE-2019-19919 - High Severity Vulnerability

Vulnerable Library - handlebars-1.3.0.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz

Path to dependency file: /samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json

Path to vulnerable library: /samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/handlebars/package.json

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
  - ❌ handlebars-1.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 6ed55fb118057ec0315ddc2aa4a36ed8577da41b

Found in base branch: master

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919

Release Date: 2019-12-20

Fix Resolution: handlebars - 4.3.0

Step up your Open Source Security Game with Mend here

CVE-2019-20920 (High) detected in handlebars-1.3.0.tgz

CVE-2019-20920 - High Severity Vulnerability

Vulnerable Library - handlebars-1.3.0.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz

Path to dependency file: /samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json

Path to vulnerable library: /samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/handlebars/package.json

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
  - ❌ handlebars-1.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 6ed55fb118057ec0315ddc2aa4a36ed8577da41b

Found in base branch: master

Vulnerability Details

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Publish Date: 2020-09-30

URL: CVE-2019-20920

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2020-10-15

Fix Resolution: handlebars - 4.5.3

Step up your Open Source Security Game with Mend here

Support for fluent API for building image url

Something like:

@Html.ResizeImage(Model.ContentLink).Width(100).Height(100).Mode(ResizeMode.Crop)

CVE-2018-20677 (Medium) detected in bootstrap-2.0.4.js

CVE-2018-20677 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-2.0.4.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js

Path to vulnerable library: /samples/SampleAlloy/Static/js/bootstrap.js

Dependency Hierarchy:

❌ bootstrap-2.0.4.js (Vulnerable Library)

Found in HEAD commit: 6ed55fb118057ec0315ddc2aa4a36ed8577da41b

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2018-3721 (Medium) detected in lodash-2.4.2.tgz

CVE-2018-3721 - Medium Severity Vulnerability

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- digdug-1.4.0.tgz
  - decompress-0.2.3.tgz
    - map-key-0.1.5.tgz
      - ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 09ada28d8042f6cae9285a7a8ef390381ae0d14e

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5

Step up your Open Source Security Game with WhiteSource here

PdfRenderer doesn't work because regexes don't contain "pdf"

The PdfRenderer plugin doesn't work with EPiServerBlobReader. The regexes only include image file extensions, so the reader ignores PDF files. As the ToDos suggest, ideally the list of supported file extensions should not be hard-coded but would instead be acquired from the plugins that ImageResizer has loaded at the time. I think you can get those using ImageResizer.Configuration.Config.Current.Pipeline.AcceptedImageExtensions.

Add support for css classes in HtmlHelperExtensionsForPicture

It would be awesome if you could add support for the class attribute to the generated img element in the HtmlHelperExtensionsForPicture.

Thanks!

CVE-2020-5258 (High) detected in dojo-1.9.4.tgz

CVE-2020-5258 - High Severity Vulnerability

Vulnerable Library - dojo-1.9.4.tgz

Dojo core is a powerful, lightweight library that makes common tasks quicker and easier. Animate elements, manipulate the DOM, and query with easy CSS syntax, all without sacrificing performance.

Library home page: https://registry.npmjs.org/dojo/-/dojo-1.9.4.tgz

Path to dependency file: /samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json

Path to vulnerable library: /samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/intern-geezer/node_modules/dojo/package.json

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- ❌ dojo-1.9.4.tgz (Vulnerable Library)

Found in HEAD commit: 6ed55fb118057ec0315ddc2aa4a36ed8577da41b

Found in base branch: master

Vulnerability Details

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

Publish Date: 2020-03-10

URL: CVE-2020-5258

CVSS 3 Score Details (7.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5258

Release Date: 2020-03-10

Fix Resolution: dojo - 1.11.10,1.12.8,1.13.7,1.14.6,1.15.3,1.16.2

Step up your Open Source Security Game with Mend here

Rendered HTML doesn't validate

The rendered HTML for the picture element doesn't validate (https://validator.w3.org) with the following error message:
Error: Stray end tag source.

Error: Stray end tag img.

Both the source and the img tags are self closing tags and should be closed as />.

WS-2015-0025 (High) detected in tar-0.1.20.tgz

WS-2015-0025 - High Severity Vulnerability

Vulnerable Library - tar-0.1.20.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- digdug-1.4.0.tgz
  - decompress-0.2.3.tgz
    - ❌ tar-0.1.20.tgz (Vulnerable Library)

Found in HEAD commit: 09ada28d8042f6cae9285a7a8ef390381ae0d14e

Vulnerability Details

The tar module earlier than version 2.0.0 allow for archives to contain symbolic links that will overwrite targets outside the expected path for extraction.

Publish Date: 2015-11-03

URL: WS-2015-0025

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/57

Release Date: 2015-11-03

Fix Resolution: Update to a version 2.0.0 or greater

Step up your Open Source Security Game with WhiteSource here

CVE-2020-8203 (High) detected in lodash-2.4.2.tgz

CVE-2020-8203 - High Severity Vulnerability

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json

Path to vulnerable library: /samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/lodash/package.json

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- digdug-1.4.0.tgz
  - decompress-0.2.3.tgz
    - map-key-0.1.5.tgz
      - ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 6ed55fb118057ec0315ddc2aa4a36ed8577da41b

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution: lodash - 4.17.19

Step up your Open Source Security Game with Mend here

fakeExtensions

i have the following in my web.config i imageresize:

and then i make my image urls as /globalassets/card-campaign.png.webp
and then the png will be served as a webp image.

when FileExists is called in EPiServerBlobReaderPlugin the virtualPath is "/globalassets/card-campaign.png" but the result is false

i made my own version of the plugin and changed the Content getter in EPiServerBlobFile to use UrlResolver instead of IContentRouteHelper like this:
this._content = _urlResolver.Route(new UrlBuilder(VirtualPath));
//this._content = this._contentRouteHelper.Content;

and now it works, could you put that in your plugin?

Why is format always image/png ?

(I realise that the following question might be more ImageResizer-specific, but sence this is the integration I use...)

Thanks for this great package. But my teaser versions et-al become huge png:s, even when the source file is jpeg.

Do you know anything?

WS-2019-0492 (High) detected in handlebars-1.3.0.tgz - autoclosed

WS-2019-0492 - High Severity Vulnerability

Vulnerable Library - handlebars-1.3.0.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz

Path to dependency file: ImageResizer.Plugins.EPiServerBlobReader/samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json

Path to vulnerable library: ImageResizer.Plugins.EPiServerBlobReader/samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/handlebars/package.json

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
  - ❌ handlebars-1.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 6ed55fb118057ec0315ddc2aa4a36ed8577da41b

Found in base branch: master

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-19

URL: WS-2019-0492

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-11-19

Fix Resolution: handlebars - 3.0.8,4.5.3

Step up your Open Source Security Game with WhiteSource here

Can't download unprocessed version of image in edit mode

If you download an image file in the Media gadget (via the context menu) you always end up with a processed version of the file. This is especially problematic when using the PdfiumRenderer plugin, because you get a JPG-rendered version of the PDF file, instead of the PDF file itself.

The reason why this happens is that in OnPostAuthorizeRequestStart you modify the request URL by removing everything after the first comma. The download URL looks like /episerver/CMS/Content/globalassets/file.pdf,,97535/Download?epieditmode=False. So you end up with
/episerver/CMS/Content/globalassets/file.pdf and since you also have "process", ProcessWhen.Always.ToString(), the file is processed even though there is no ImageResizer query parameters in the URL (why would you force processing anyway?).

This leads to a bigger question: what's the point of the whole OnPostAuthorizeRequestStart method? It's relatively slow, because it uses UrlResolver.Route() and it's not supposed to be slow, since it's called for every single request. As far as I can tell, the method is used so that cached images are not served in the edit mode. But that would not be a problem if you didn't strip everything after the comma in the URL, since Episerver adds the content work ID in the URL anyway, e.g.:
/episerver/CMS/Content/globalassets/file.pdf,,97535_262312?epieditmode=False
/episerver/CMS/Content/globalassets/file.pdf,,97535_262312?/Thumbnail?epieditmode=False?1463982947728
So if the content changes, the URL changes and caching shouldn't be a problem.

I've tried using the BlobReader plugin without the OnPostAuthorizeRequestStart, and so far I haven't noticed any problems with it. So unless there's a good reason for the method, it should be removed, as it already has bugs in it and is error-prone due to magic literals like "Thumbnail?epieditmode".

Release Build

Hi,
from what I can tell, your release build is still in debug mode. Are you able to fix this?

Add support for CMS 11

CVE-2019-10744 (High) detected in lodash-2.4.2.tgz

CVE-2019-10744 - High Severity Vulnerability

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json

Path to vulnerable library: /samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/lodash/package.json

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- digdug-1.4.0.tgz
  - decompress-0.2.3.tgz
    - map-key-0.1.5.tgz
      - ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 6ed55fb118057ec0315ddc2aa4a36ed8577da41b

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0

Step up your Open Source Security Game with Mend here

CVE-2015-8860 (High) detected in tar-0.1.20.tgz

CVE-2015-8860 - High Severity Vulnerability

Vulnerable Library - tar-0.1.20.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- digdug-1.4.0.tgz
  - decompress-0.2.3.tgz
    - ❌ tar-0.1.20.tgz (Vulnerable Library)

Found in HEAD commit: 09ada28d8042f6cae9285a7a8ef390381ae0d14e

Vulnerability Details

The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.

Publish Date: 2017-01-23

URL: CVE-2015-8860

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8860

Release Date: 2017-01-23

Fix Resolution: 2.0.0

Step up your Open Source Security Game with WhiteSource here

Error when using CMS 9.0

System.IO.FileNotFoundException: Could not load file or assembly 'EPiServer.BaseLibrary, Version=8.5.0.0, Culture=neutral, PublicKeyToken=8fe83dea738b45b7' or one of its dependencies. The system cannot find the file specified.
File name: 'EPiServer.BaseLibrary, Version=8.5.0.0, Culture=neutral, PublicKeyToken=8fe83dea738b45b7' ---> System.IO.FileNotFoundException: Could not load file or assembly 'EPiServer.BaseLibrary, Version=7.5.394.2, Culture=neutral, PublicKeyToken=8fe83dea738b45b7' or one of its dependencies. The system cannot find the file specified.
File name: 'EPiServer.BaseLibrary, Version=7.5.394.2, Culture=neutral, PublicKeyToken=8fe83dea738b45b7'

WRN: Assembly binding logging is turned OFF.
To enable assembly bind failure logging, set the registry value HKLM\Software\Microsoft\Fusion!EnableLog to 1.
Note: There is some performance penalty associated with assembly bind failure logging.
To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].

at ImageResizer.Plugins.EPiServerBlobReader.EPiServerBlobFile.get_Content()
at ImageResizer.Plugins.EPiServerBlobReader.EPiServerBlobFile.get_BlobExists()
at ImageResizer.Configuration.PipelineConfig.GetFile(String virtualPath, NameValueCollection queryString)
at ImageResizer.InterceptModule.CheckRequest_PostAuthorizeRequest(Object sender, EventArgs e)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

EPICommerce Catalog images broken

When using Episerver Commerce, the thumbnail product images are broken in edit mode of catalog entry:

This issue arises when installing the imageresizer component. Episerver Commerce OOTB uses a LargeThumbnail URL which breaks when using imageresizer. An example URL format which is used:
https://localhost/EPiServer/CMS/Content/siteassets/image.png,,492/LargeThumbnail?epieditmode=False&time=1522135887646
I think something needs to be changed in the URL filtering mechanism to not let handle imageresizer this functionality, but to fall back on OOTB epi functionality.

To reproduce easily: install quicksilver example, install ImageResizer.Plugins.EPiServerBlobReader package and check behavior in catalog.

Caching of images

We've been recently using this is a new build and we've seen some odd caching issues.

We have a set of presets and we go to an image using one of the presets it resizes and we can change the preset maybe one or two times and it works but it will just stop services resized images and resizes to the last one that was working.

E.g. preset1, preset2, preset3, preset 4

request to preset1 works fine
request to preset2 works fine
request to preset3 returns preset2

Any requests after all return preset2 and also removing presets and trying h and w params also do the same.

All browser caching is definitely turned off and there are no errors in the log

CVE-2015-8861 (Medium) detected in handlebars-1.3.0.tgz

CVE-2015-8861 - Medium Severity Vulnerability

Vulnerable Library - handlebars-1.3.0.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz

Path to dependency file: /samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json

Path to vulnerable library: /samples/SampleAlloy/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/handlebars/package.json

Dependency Hierarchy:

intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
  - ❌ handlebars-1.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 6ed55fb118057ec0315ddc2aa4a36ed8577da41b

Found in base branch: master

Vulnerability Details

The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.

Publish Date: 2017-01-23

URL: CVE-2015-8861

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/61

Release Date: 2017-01-23

Fix Resolution: 4.0.0

Step up your Open Source Security Game with Mend here

If image is null, throwing exception

Hi Valdis,

if Model.CurrentPage.Image is null, it throws exception on page render, when page created in editmode
@if (!ContentReference.IsNullOrEmpty(Model.CurrentPage.Image) || PageEditing.PageIsInEditMode) {<div class="image" @Html.EditAttributes(m => m.CurrentPage.Image)><img src="@Html.ResizeImage(Model.CurrentPage.Image).Width(795).Height(530).FitMode(FitMode.Crop)" /></div>}

Default behavior is normally with Url.ContentUrl(Model.CurrentPage.Image) returning empty string

Workaround
<img src="@Url.ContentUrl(Model.CurrentPage.Image)?width=795&height=530&mode=crop" />

having PageEditing.PageIsInEditMode i want to show the property in editmode, to be able to change it.

Request
Add fallback image property
@Html.ResizeImage(Model.CurrentPage.MainImage, "/content/images/no-image-found.jpg").Width(795).Height(530).FitMode(FitMode.Crop)

also nicer exception message saying something like "Image is null, please use the fallbackproperty"

Do you want me to contribute and send pull request?

Are there any possible differences between master and the nuget packages?

I have a user who's reporting that the NuGet package works, but when he compiles this project in release mode, it doesn't. He was trying to self-compile since the NuGet package was compiled in debug mode.

I don't have any more detail, I'm afraid.

Thanks for providing the NuGet package and posting this on GitHub! It's been a big help!

valdisiljuconoks / imageresizer.plugins.episerverblobreader Goto Github PK

imageresizer.plugins.episerverblobreader's Introduction

ImageResizer.Plugins.EPiServerBlobReader

Breaking Changes (starting from v6.0)

Render Image in Markup

Render Image Markup (Fluent)

Render Image Markup with Fallback (Fluent)

Render Picture Element

imageresizer.plugins.episerverblobreader's People

Contributors

Stargazers

Watchers

Forkers

imageresizer.plugins.episerverblobreader's Issues

WS-2015-0017 - Medium Severity Vulnerability

WS-2015-0024 - High Severity Vulnerability

WS-2018-0168 - Medium Severity Vulnerability

CVE-2018-20834 - High Severity Vulnerability

CVE-2018-16487 - High Severity Vulnerability

WS-2019-0333 - High Severity Vulnerability

CVE-2019-8331 - Medium Severity Vulnerability

CVE-2018-20676 - Medium Severity Vulnerability

CVE-2016-10540 - High Severity Vulnerability

WS-2019-0100 - Medium Severity Vulnerability

CVE-2020-12265 - High Severity Vulnerability

WS-2019-0064 - High Severity Vulnerability

WS-2018-0590 - High Severity Vulnerability

WS-2015-0003 - Medium Severity Vulnerability

WS-2019-0047 - Medium Severity Vulnerability

CVE-2015-8858 - High Severity Vulnerability

CVE-2014-4075 - Low Severity Vulnerability

CVE-2015-8857 - High Severity Vulnerability

WS-2019-0332 - High Severity Vulnerability

CVE-2019-19919 - High Severity Vulnerability

CVE-2019-20920 - High Severity Vulnerability

CVE-2018-20677 - Medium Severity Vulnerability

CVE-2018-3721 - Medium Severity Vulnerability

CVE-2020-5258 - High Severity Vulnerability

WS-2015-0025 - High Severity Vulnerability

CVE-2020-8203 - High Severity Vulnerability

WS-2019-0492 - High Severity Vulnerability

CVE-2019-10744 - High Severity Vulnerability

CVE-2015-8860 - High Severity Vulnerability

CVE-2015-8861 - Medium Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org