C# Image.FromStream is that secure?

Question

after reading the data from the request as Stream i needed to convert it to Image so i used this Method:

Stream inputStream = HttpContext.Current.Request.InputStream;
Image img = Image.FromStream(inputStream)

so while im unable to know what was in that inputStream (file format is done already but still..) there may be a virus or malware, so in that case FromStream(Stream) would throw ArgumentException. since it's not an image.

my question is - If the file uploaded contains a virus, and the method throws an exception while trying to convert the stream to Image: did that make any harm to the server? if so, how to avoid it? what should be the scenario for handling file upload in the server? im just wondering rather or not i need to scan for viruses in the scenario of photo-uploading.

Answer 1

If the uploaded file is in a valid image format, .FromStream will not throw an exception, even if it contains a virus. That is, there is no virus checking in it.

On the other hand, there is also no way for the virus to activate, since the file at this point is only being handled as raw bytes.
(It is certainly possible, if not feasible, that it contains an attack targeted directly at the .NET Image class, e.g. via buffer overflow. However, besides being highly improbable that such a vulnerability exists, it's even more unlikely that someone will go to the trouble of targeting such a niche vector).

So, at this point you are perfectly (realistically speaking) safe, but neither do you have any idea if the file is clean or not.

The real question becomes, what happens with this file afterwards?

Is it saved to disk, and used locally?
In this case you should have some form of anti-virus check it, if only for your benefit - if you believe in them, you can just have the local AV engine scan it.

Is it later returned to other users, and thus can use your system for spreading?
You should definitely have some form of AV scan before saving the file. Note that this may not be as simple, since you might be storing the images in your database (there are AV scanners that can be activated by API for a memory segment, before it gets saved to file)... In any event, I am categorically opposed to running antivirus scans directly on your actual systems. You'd be better off having some form of gateway AV scanner, before it even hits your system.

---

However, take into account that when you allow random users to upload arbitrary files, virus cleaning is not the utmost of your worries.

• For one, you can be swamped - either by huge files, or many smaller ones, thus DoSing your server.
• If the user can specify the saved file path - he could potentially overwrite system files, or upload executable code.
• If file attributes are saved, and later displayed (this includes file name and username, but also description, file type, location, etc) - this can lead to other standard web attacks, such as XSS or SQL Injection.
• Do a search here for GIFAR - these are files that are both valid image files, and valid JAR (Java Archive - executable code for the browser) files. These are of course not a virus...
• Depending on the system, you may be at risk for legal damages, if your users upload e.g. copyrighted images, or e.g. child pornography. Of course, consult with your lawyer, as I am not one.

TL;DR

In short, accepting arbitrary uploads does lead you into a whole mess of potential trouble, and virus scanning is not the worst of it.

Answer 2

Yes, the function is protected from all known buffer overflows, as Microsoft sends out patches for the .NET codebase. But it's not a complete solution.

For more information see these links:

• https://security.stackexchange.com/a/8625/396

Here are the protections I would employ when accepting images from untrusted sources:

• Patch the server: The Image class is part of the .NET framework so as long as you're on a supported framework, MSFT will prevent buffer overflows.

• Handle the ArgumentException from this class, since attempts to upload non-images will throw an exception. You can get early warning of attempted "hacks" with this exception.

• Check the extension and name of the image

• Don't allow the user to specify the directory (or control it tightly if you do)

• Check the content type against the extension.

• Run a virus checker against the image (e.g. VirusTotal)

• Use the header X-Content-Type-Options : Nosniff (more info) to protect from GIFR-style attacks.

• Don't show image metadata to the end users. Tools like Exiv2 allow the viewing and editing of untrusted data.

• Size Limit: Wrap the Stream class and allow that to cut off attempts to upload large files. If you're using ASP.NET then by default the server side component saves all the data to RAM first. Avoid memory exhaustion DoS by using a HTTPHandler that saves directly to disk.

• Use a separate DNS domain for serving images (more info)

• Convert all uploaded images to BMP, then to a common format (PNG, etc) (more info)

• Ensure that the above-mentioned conversion staging area is inaccessible to the public

• Inject the picture with noise (more info)