tenseleyflow/shithub / c090746

+	golang.org/x/image v0.39.0 // indirect

+golang.org/x/image v0.39.0 h1:skVYidAEVKgn8lZ602XO75asgXBgLj9G/FE3RbuPFww=

+golang.org/x/image v0.39.0/go.mod h1:sIbmppfU+xFLPIG0FoVUTvyBMmgng1/XAMhQ2ft0hpA=

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package avatars

+

+import (

+	"bytes"

+	"crypto/sha256"

+	"encoding/hex"

+	"errors"

+	"fmt"

+	"image"

+	"image/png"

+	"io"

+	"strings"

+

+	// Side-effect imports register decoders for jpeg/gif inputs.

+	_ "image/gif"

+	_ "image/jpeg"

+

+	"golang.org/x/image/draw"

+)

+

+// MaxUploadBytes caps how big an uploaded avatar may be before decoding.

+// Stops trivially large uploads from soaking RAM during decode.

+const MaxUploadBytes = 5 * 1024 * 1024 // 5 MiB

+

+// MaxPixelArea bounds the *decoded* image's pixel area as a defense-in-depth

+// check against decompression-bomb attacks: a small file (well under

+// MaxUploadBytes) can decode to a huge image. We reject anything past 24

+// megapixels (e.g. 4900×4900), well above any reasonable avatar source.

+const MaxPixelArea = 24 * 1000 * 1000

+

+// VariantSizes is the set of resize targets we generate per upload. The

+// largest is what the public avatar route serves; smaller ones are kept

+// so a future "/avatars/:user/:size" route can serve them without

+// re-resizing.

+var VariantSizes = []int{460, 200, 40}

+

+// Variant is one rendered output: a sized PNG ready for upload to the

+// object store.

+type Variant struct {

+	Size int    // edge length in pixels (Size × Size)

+	Data []byte // PNG bytes

+}

+

+// Errors surfaced to the handler. Each maps to a friendly UI message.

+var (

+	ErrTooLarge      = errors.New("avatars: upload exceeds size limit")

+	ErrUnsupported   = errors.New("avatars: unsupported image format")

+	ErrDecompression = errors.New("avatars: image dimensions exceed limit")

+	ErrDecode        = errors.New("avatars: could not decode image")

+)

+

+// Process reads an uploaded image, validates it, and produces resized

+// PNG variants. It strips EXIF as a side effect of re-encoding.

+//

+// Returns the variants in VariantSizes order plus a content-addressed key

+// component (sha256 of the largest variant's bytes) the caller can embed

+// in the storage path.

+func Process(r io.Reader) ([]Variant, string, error) {

+	// Bound the read up-front; one extra byte to detect overflow.

+	limited := io.LimitReader(r, MaxUploadBytes+1)

+	raw, err := io.ReadAll(limited)

+	if err != nil {

+		return nil, "", fmt.Errorf("read upload: %w", err)

+	}

+	if int64(len(raw)) > MaxUploadBytes {

+		return nil, "", ErrTooLarge

+	}

+

+	// Decode metadata first so we can reject decompression bombs without

+	// allocating the full pixel buffer.

+	cfg, format, err := image.DecodeConfig(bytes.NewReader(raw))

+	if err != nil {

+		return nil, "", ErrDecode

+	}

+	if !isSupportedFormat(format) {

+		return nil, "", ErrUnsupported

+	}

+	if int64(cfg.Width)*int64(cfg.Height) > MaxPixelArea {

+		return nil, "", ErrDecompression

+	}

+

+	src, _, err := image.Decode(bytes.NewReader(raw))

+	if err != nil {

+		return nil, "", ErrDecode

+	}

+

+	// Square-crop to the shorter side so the resize doesn't squash.

+	cropped := centerSquareCrop(src)

+

+	out := make([]Variant, 0, len(VariantSizes))

+	for _, size := range VariantSizes {

+		dst := image.NewRGBA(image.Rect(0, 0, size, size))

+		draw.CatmullRom.Scale(dst, dst.Bounds(), cropped, cropped.Bounds(), draw.Over, nil)

+		buf := &bytes.Buffer{}

+		if err := png.Encode(buf, dst); err != nil {

+			return nil, "", fmt.Errorf("encode %dpx: %w", size, err)

+		}

+		out = append(out, Variant{Size: size, Data: buf.Bytes()})

+	}

+

+	// Content-addressed key from the largest (first) variant. Avatar URLs

+	// embed this hash so caches invalidate when the image changes.

+	digest := sha256.Sum256(out[0].Data)

+	return out, hex.EncodeToString(digest[:])[:16], nil

+}

+

+// isSupportedFormat whitelists the formats we'll accept. PNG, JPEG, GIF

+// are the GitHub-set; we re-encode all to PNG so output is uniform.

+func isSupportedFormat(format string) bool {

+	switch strings.ToLower(format) {

+	case "png", "jpeg", "gif":

+		return true

+	}

+	return false

+}

+

+// centerSquareCrop returns a centered square sub-image of src. If src is

+// already square, returns src unchanged.

+func centerSquareCrop(src image.Image) image.Image {

+	b := src.Bounds()

+	w, h := b.Dx(), b.Dy()

+	if w == h {

+		return src

+	}

+	side := w

+	if h < side {

+		side = h

+	}

+	x0 := b.Min.X + (w-side)/2

+	y0 := b.Min.Y + (h-side)/2

+	rect := image.Rect(x0, y0, x0+side, y0+side)

+	type subImager interface {

+		SubImage(r image.Rectangle) image.Image

+	}

+	if si, ok := src.(subImager); ok {

+		return si.SubImage(rect)

+	}

+	// Fallback: copy the cropped region.

+	dst := image.NewRGBA(image.Rect(0, 0, side, side))

+	draw.Copy(dst, image.Point{}, src, rect, draw.Src, nil)

+	return dst

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package avatars_test

+

+import (

+	"bytes"

+	"image"

+	"image/color"

+	"image/jpeg"

+	"image/png"

+	"strings"

+	"testing"

+

+	"github.com/tenseleyFlow/shithub/internal/avatars"

+)

+

+func makePNG(t *testing.T, w, h int) []byte {

+	t.Helper()

+	img := image.NewRGBA(image.Rect(0, 0, w, h))

+	for y := 0; y < h; y++ {

+		for x := 0; x < w; x++ {

+			img.Set(x, y, color.RGBA{R: 200, G: 100, B: 50, A: 255})

+		}

+	}

+	buf := &bytes.Buffer{}

+	if err := png.Encode(buf, img); err != nil {

+		t.Fatalf("encode: %v", err)

+	}

+	return buf.Bytes()

+}

+

+func makeJPEG(t *testing.T, w, h int) []byte {

+	t.Helper()

+	img := image.NewRGBA(image.Rect(0, 0, w, h))

+	buf := &bytes.Buffer{}

+	if err := jpeg.Encode(buf, img, &jpeg.Options{Quality: 80}); err != nil {

+		t.Fatalf("encode: %v", err)

+	}

+	return buf.Bytes()

+}

+

+func TestProcess_PNGRoundtrip(t *testing.T) {

+	t.Parallel()

+	src := makePNG(t, 800, 600) // landscape; expect center-crop to 600×600.

+	variants, hash, err := avatars.Process(bytes.NewReader(src))

+	if err != nil {

+		t.Fatalf("process: %v", err)

+	}

+	if len(variants) != len(avatars.VariantSizes) {

+		t.Fatalf("variants = %d, want %d", len(variants), len(avatars.VariantSizes))

+	}

+	for i, want := range avatars.VariantSizes {

+		v := variants[i]

+		if v.Size != want {

+			t.Errorf("variant[%d].Size = %d, want %d", i, v.Size, want)

+		}

+		cfg, err := png.DecodeConfig(bytes.NewReader(v.Data))

+		if err != nil {

+			t.Errorf("variant[%d] decode: %v", i, err)

+			continue

+		}

+		if cfg.Width != want || cfg.Height != want {

+			t.Errorf("variant[%d] dims = %dx%d, want %dx%d", i, cfg.Width, cfg.Height, want, want)

+		}

+	}

+	if len(hash) == 0 {

+		t.Fatal("hash is empty")

+	}

+}

+

+func TestProcess_JPEGAccepted(t *testing.T) {

+	t.Parallel()

+	src := makeJPEG(t, 1000, 1000)

+	if _, _, err := avatars.Process(bytes.NewReader(src)); err != nil {

+		t.Fatalf("jpeg accepted: %v", err)

+	}

+}

+

+func TestProcess_RejectsUnsupportedFormat(t *testing.T) {

+	t.Parallel()

+	_, _, err := avatars.Process(strings.NewReader("not an image at all"))

+	if err == nil {

+		t.Fatal("expected error for non-image input")

+	}

+}

+

+func TestProcess_RejectsTooLarge(t *testing.T) {

+	t.Parallel()

+	// Build a payload that exceeds MaxUploadBytes.

+	big := make([]byte, avatars.MaxUploadBytes+10)

+	_, _, err := avatars.Process(bytes.NewReader(big))

+	if err != avatars.ErrTooLarge {

+		t.Fatalf("err = %v, want ErrTooLarge", err)

+	}

+}

+

+func TestProcess_RejectsDecompressionBomb(t *testing.T) {

+	t.Parallel()

+	// Construct a tiny PNG header that *claims* huge dimensions but

+	// stays well under MaxUploadBytes.

+	// 10000 × 10000 = 100M pixels > 24M cap.

+	// Build a real but huge-size PNG using NewPaletted to keep file size low.

+	pal := []color.Color{color.White, color.Black}

+	img := image.NewPaletted(image.Rect(0, 0, 8000, 8000), pal)

+	buf := &bytes.Buffer{}

+	if err := png.Encode(buf, img); err != nil {

+		t.Fatalf("encode: %v", err)

+	}

+	if buf.Len() > avatars.MaxUploadBytes {

+		t.Skipf("constructed PNG (%d bytes) exceeds MaxUploadBytes; skipping", buf.Len())

+	}

+	_, _, err := avatars.Process(bytes.NewReader(buf.Bytes()))

+	if err != avatars.ErrDecompression {

+		t.Fatalf("err = %v, want ErrDecompression", err)

+	}

+}