Only block image requests and cache generated tokens.

JimBobSquarePants · JimBobSquarePants · commit 239453983305 · 2022-04-06T10:26:14.000+10:00
diff --git a/src/ImageSharp.Web/Middleware/ImageSharpMiddleware.cs b/src/ImageSharp.Web/Middleware/ImageSharpMiddleware.cs
@@ -41,6 +41,12 @@ private static readonly ConcurrentTLruCache<string, ImageMetadata> SourceMetadat
         private static readonly ConcurrentTLruCache<string, (IImageCacheResolver, ImageCacheMetadata)> CacheResolverLru
             = new(1024, TimeSpan.FromSeconds(30));
 
+        /// <summary>
+        /// Used to temporarily store cached HMAC-s to reduce the overhead of HMAC token generation.
+        /// </summary>
+        private static readonly ConcurrentTLruCache<string, string> HMACTokenLru
+            = new(1024, TimeSpan.FromSeconds(30));
+
         /// <summary>
         /// The function processing the Http request.
         /// </summary>
@@ -222,19 +228,6 @@ private async Task Invoke(HttpContext httpContext, bool retry)
 
             ImageCommandContext imageCommandContext = new(httpContext, commands, this.commandParser, this.parserCulture);
 
-            if (doHMAC)
-            {
-                // Compare the passed token to our generated mac.
-                string mac = await this.options.OnComputeHMACAsync(imageCommandContext, secret);
-                if (mac != token)
-                {
-                    // Throw a 401. We don't log the error to avoid attempts at log poisoning.
-                    httpContext.Response.Clear();
-                    httpContext.Response.StatusCode = StatusCodes.Status401Unauthorized;
-                    return;
-                }
-            }
-
             await this.options.OnParseCommandsAsync.Invoke(imageCommandContext);
 
             // Get the correct service for the request
@@ -256,6 +249,26 @@ private async Task Invoke(HttpContext httpContext, bool retry)
                 return;
             }
 
+            // At this point we know that this is a valid image request
+            // Check for a token if required and reject if invalid.
+            if (doHMAC)
+            {
+                if (token is null)
+                {
+                    // Throw a 401. We don't log the error to avoid attempts at log poisoning.
+                    SetUnauthorized(httpContext);
+                    return;
+                }
+
+                // Compare the passed token to our generated mac.
+                string mac = await HMACTokenLru.GetOrAddAsync(token, _ => this.options.OnComputeHMACAsync(imageCommandContext, secret));
+                if (mac != token)
+                {
+                    SetUnauthorized(httpContext);
+                    return;
+                }
+            }
+
             IImageResolver sourceImageResolver = await provider.GetAsync(httpContext);
 
             if (sourceImageResolver is null)
@@ -275,6 +288,13 @@ await this.ProcessRequestAsync(
                 retry);
         }
 
+        private static void SetUnauthorized(HttpContext httpContext)
+        {
+            httpContext.Response.Clear();
+            httpContext.Response.Headers.Add("WWW-Authenticate", "HMAC realm=\"" + httpContext.Request.Host + "\"");
+            httpContext.Response.StatusCode = StatusCodes.Status401Unauthorized;
+        }
+
         private void StripUnknownCommands(CommandCollection commands, int startAtIndex)
         {
             var keys = new List<string>(commands.Keys);
diff --git a/src/ImageSharp.Web/Middleware/ImageSharpMiddlewareOptions.cs b/src/ImageSharp.Web/Middleware/ImageSharpMiddlewareOptions.cs
@@ -19,7 +19,7 @@ public class ImageSharpMiddlewareOptions
         private Func<ImageCommandContext, byte[], Task<string>> onComputeHMACAsync = (context, secret) =>
         {
             string uri = CaseHandlingUriBuilder.BuildRelative(
-                 CaseHandlingUriBuilder.CaseHandling.LowerInvariant,
+                 CaseHandlingUriBuilder.CaseHandling.None,
                  context.Context.Request.PathBase,
                  context.Context.Request.Path,
                  QueryString.Create(context.Commands));
@@ -85,7 +85,7 @@ public class ImageSharpMiddlewareOptions
 
         /// <summary>
         /// Gets or sets the method used to compute a Hash-based Message Authentication Code (HMAC) for request authentication.
-        /// Defaults to <see cref="HMACUtilities.ComputeHMACSHA256(string, byte[])"/> using an invariant lowercase relative Uri
+        /// Defaults to <see cref="HMACUtilities.ComputeHMACSHA256(string, byte[])"/> using a relative Uri
         /// generated using <see cref="CaseHandlingUriBuilder.BuildRelative(CaseHandlingUriBuilder.CaseHandling, PathString, PathString, QueryString)"/>.
         /// </summary>
         public Func<ImageCommandContext, byte[], Task<string>> OnComputeHMACAsync
diff --git a/tests/ImageSharp.Web.Tests/TestUtilities/AuthenticatedServerTestBase.cs b/tests/ImageSharp.Web.Tests/TestUtilities/AuthenticatedServerTestBase.cs
@@ -1,6 +1,10 @@
 // Copyright (c) Six Labors.
 // Licensed under the Apache License, Version 2.0.
 
+using System.Net;
+using System.Net.Http;
+using System.Threading.Tasks;
+using Xunit;
 using Xunit.Abstractions;
 
 namespace SixLabors.ImageSharp.Web.Tests.TestUtilities
@@ -13,10 +17,30 @@ protected AuthenticatedServerTestBase(TFixture fixture, ITestOutputHelper output
         {
         }
 
+        [Fact]
+        public async Task CanRejectUnauthorizedRequestAsync()
+        {
+            string url = this.ImageSource;
+
+            // Send an unaugmented request without a token.
+            HttpResponseMessage response = await this.HttpClient.GetAsync(url + this.Fixture.Commands[0]);
+            Assert.NotNull(response);
+            Assert.False(response.IsSuccessStatusCode);
+            Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+            Assert.True(response.Headers.Contains("WWW-Authenticate"));
+
+            // Now send an invalid token
+            response = await this.HttpClient.GetAsync(url + this.Fixture.Commands[0] + "&" + HMACUtilities.TokenCommand + "=INVALID");
+            Assert.NotNull(response);
+            Assert.False(response.IsSuccessStatusCode);
+            Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+            Assert.True(response.Headers.Contains("WWW-Authenticate"));
+        }
+
         protected override string AugmentCommand(string command)
         {
-            // Mimic the lowecase relative url format used by the token and default options.
-            string uri = (this.ImageSource + command).Replace("http://localhost", string.Empty).ToLowerInvariant();
+            // Mimic the case sensitive url format used by the token and default options.
+            string uri = (this.ImageSource + command).Replace("http://localhost", string.Empty);
             string token = HMACUtilities.ComputeHMACSHA256(uri, AuthenticatedTestServerFixture.HMACSecretKey);
             return command + "&" + HMACUtilities.TokenCommand + "=" + token;
         }
