fix(tradein): image_sanitizer — reject decompression-bomb до декода (R2 security) #2495
No reviewers
Labels
No labels
admin
analytics
auth
automation
bug
business
chore
ci
compliance
data
data-moat
docs
duplicate
dx
enhancement
Fable 5 ревью
feedback/max
generative
GG-форсайт
needs-discussion
needs-human
observability
pause-bots
performance
priority/p0
priority/p1
priority/p2
priority/p3
scope/backend
scope/db
scope/devops
scope/frontend
scope/qa
scrapers
security
site-finder
stage/1
stage/2
status/blocked
status/done
status/needs-analysis
status/needs-fix
status/qa
status/ready
status/review
status/wip
tech-debt
tradein
ux
week ревью 1
wontfix
вторичка
ИРД
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: lekss361/gendesign#2495
Loading…
Add table
Reference in a new issue
No description provided.
Delete branch "fix/tradein-image-dos"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
R2 MEDIUM (security) — image_sanitizer decompression-bomb / pixel-flood DoS
sanitize_imageдекодировал (img.load()) до resize, аMAX_IMAGE_PIXELSбыл дефолтный (~89MP). Pilot грузит ≤10МБ сильно-сжатое изображение с заявленными ~89-178MP → декод в сотни МБ RGB → OOM бэкенда (768МБ), ×12 слотов.Fix (defense-in-depth):
_MAX_PIXELS=40MPcap + guardimg.size(из хедера, БЕЗ декода) доimg.load()→ reject oversized;Image.MAX_IMAGE_PIXELS=40MP(Pillow сам бросит DecompressionBombError на любом декод-пути); байтовый backstop 10МиБ. Контракт caller не тронут (bad image →ImageSanitizationError→ HTTP 400, не 500). 7 тестов (вкл. pixel-flood reject сimg.load.assert_not_called()).