Add HMAC functionality

Author: JimBobSquarePants

src/ImageSharp.Web/Caching/SHA256CacheHash.cs

@@ -33,18 +33,16 @@ public SHA256CacheHash(IOptions<ImageSharpMiddlewareOptions> options)
         public string Create(string value, uint length)
         {
             int byteCount = Encoding.ASCII.GetByteCount(value);
-
-            // Allocating a buffer from the pool is ~27% slower than stackalloc so use that for short strings
-            if (byteCount < 257)
-            {
-                return HashValue(value, length, stackalloc byte[byteCount]);
-            }
-
             byte[] buffer = null;
+
             try
             {
-                buffer = ArrayPool<byte>.Shared.Rent(byteCount);
-                return HashValue(value, length, buffer.AsSpan(0, byteCount));
+                // Allocating a buffer from the pool is ~27% slower than stackalloc so use that for short strings
+                Span<byte> bytes = byteCount <= 128
+                    ? stackalloc byte[byteCount]
+                    : (buffer = ArrayPool<byte>.Shared.Rent(byteCount)).AsSpan(0, byteCount);
+
+                return HashValue(value, length, bytes);
             }
             finally
             {

src/ImageSharp.Web/Caching/UriAbsoluteCacheKey.cs

@@ -13,6 +13,6 @@ public class UriAbsoluteCacheKey : ICacheKey
     {
         /// <inheritdoc/>
         public string Create(HttpContext context, CommandCollection commands)
-            => CacheKeyHelper.BuildAbsoluteKey(CacheKeyHelper.CaseHandling.None, context.Request.Host, context.Request.PathBase, context.Request.Path, QueryString.Create(commands));
+            => CaseHandlingUriBuilder.BuildAbsolute(CaseHandlingUriBuilder.CaseHandling.None, context.Request.Host, context.Request.PathBase, context.Request.Path, QueryString.Create(commands));
     }
 }

src/ImageSharp.Web/Caching/UriAbsoluteLowerInvariantCacheKey.cs

@@ -13,6 +13,6 @@ public class UriAbsoluteLowerInvariantCacheKey : ICacheKey
     {
         /// <inheritdoc/>
         public string Create(HttpContext context, CommandCollection commands)
-            => CacheKeyHelper.BuildAbsoluteKey(CacheKeyHelper.CaseHandling.LowerInvariant, context.Request.Host, context.Request.PathBase, context.Request.Path, QueryString.Create(commands));
+            => CaseHandlingUriBuilder.BuildAbsolute(CaseHandlingUriBuilder.CaseHandling.LowerInvariant, context.Request.Host, context.Request.PathBase, context.Request.Path, QueryString.Create(commands));
     }
 }

src/ImageSharp.Web/Caching/UriRelativeCacheKey.cs

@@ -13,6 +13,6 @@ public class UriRelativeCacheKey : ICacheKey
     {
         /// <inheritdoc/>
         public string Create(HttpContext context, CommandCollection commands)
-            => CacheKeyHelper.BuildRelativeKey(CacheKeyHelper.CaseHandling.None, context.Request.PathBase, context.Request.Path, QueryString.Create(commands));
+            => CaseHandlingUriBuilder.BuildRelative(CaseHandlingUriBuilder.CaseHandling.None, context.Request.PathBase, context.Request.Path, QueryString.Create(commands));
     }
 }

src/ImageSharp.Web/Caching/UriRelativeLowerInvariantCacheKey.cs

@@ -13,6 +13,6 @@ public class UriRelativeLowerInvariantCacheKey : ICacheKey
     {
         /// <inheritdoc/>
         public string Create(HttpContext context, CommandCollection commands)
-            => CacheKeyHelper.BuildRelativeKey(CacheKeyHelper.CaseHandling.LowerInvariant, context.Request.PathBase, context.Request.Path, QueryString.Create(commands));
+            => CaseHandlingUriBuilder.BuildRelative(CaseHandlingUriBuilder.CaseHandling.LowerInvariant, context.Request.PathBase, context.Request.Path, QueryString.Create(commands));
     }
 }

…ImageSharp.Web/Caching/CacheKeyHelper.cs …ImageSharp.Web/CaseHandlingUriBuilder.cssrc/ImageSharp.Web/Caching/CacheKeyHelper.cs renamed to src/ImageSharp.Web/CaseHandlingUriBuilder.cs src/ImageSharp.Web/Caching/CacheKeyHelper.cs renamed to src/ImageSharp.Web/CaseHandlingUriBuilder.cs

@@ -6,18 +6,29 @@
 using System.Runtime.CompilerServices;
 using Microsoft.AspNetCore.Http;
 
-namespace SixLabors.ImageSharp.Web.Caching
+namespace SixLabors.ImageSharp.Web
 {
     /// <summary>
-    /// Optimized helper methods for generating cache keys from URI components. Much of this code has been adapted from the MIT licensed .NET runtime.
+    /// Optimized helper methods for generating encoded Uris from URI components.
+    /// Much of this code has been adapted from the MIT licensed .NET runtime.
     /// </summary>
-    internal static class CacheKeyHelper
+    public static class CaseHandlingUriBuilder
     {
         private static readonly SpanAction<char, (bool LowerInvariant, string Host, string PathBase, string Path, string Query)> InitializeAbsoluteUriStringSpanAction = new(InitializeAbsoluteUriString);
 
+        /// <summary>
+        /// Provides Uri case handling options.
+        /// </summary>
         public enum CaseHandling
         {
+            /// <summary>
+            /// No adjustments to casing are made.
+            /// </summary>
             None,
+
+            /// <summary>
+            /// All URI components are converted to lower case using the invariant culture before combining.
+            /// </summary>
             LowerInvariant
         }
 
@@ -29,14 +40,14 @@ public enum CaseHandling
         /// <param name="path">The portion of the request path that identifies the requested resource.</param>
         /// <param name="query">The query, if any.</param>
         /// <returns>The combined URI components, properly encoded for use in HTTP headers.</returns>
-        public static string BuildRelativeKey(
+        public static string BuildRelative(
             CaseHandling handling,
             PathString pathBase = default,
             PathString path = default,
             QueryString query = default)
 
             // Take any potential performance hit vs concatination for code reading sanity.
-            => BuildAbsoluteKey(handling, default, pathBase, path, query);
+            => BuildAbsolute(handling, default, pathBase, path, query);
 
         /// <summary>
         /// Combines the given URI components into a string that is properly encoded for use in HTTP headers.
@@ -48,7 +59,7 @@ public static string BuildRelativeKey(
         /// <param name="path">The portion of the request path that identifies the requested resource.</param>
         /// <param name="query">The query, if any.</param>
         /// <returns>The combined URI components, properly encoded for use in HTTP headers.</returns>
-        public static string BuildAbsoluteKey(
+        public static string BuildAbsolute(
             CaseHandling handling,
             HostString host,
             PathString pathBase = default,
@@ -113,7 +124,7 @@ private static int CopyTextToBufferLowerInvariant(Span<char> buffer, int index,
             => index + text.ToLowerInvariant(buffer.Slice(index, text.Length));
 
         /// <summary>
-        /// Initializes the URI <see cref="string"/> for <see cref="BuildAbsoluteKey(CaseHandling, HostString, PathString, PathString, QueryString)"/>.
+        /// Initializes the URI <see cref="string"/> for <see cref="BuildAbsolute(CaseHandling, HostString, PathString, PathString, QueryString)"/>.
         /// </summary>
         /// <param name="buffer">The URI <see cref="string"/>'s <see cref="char"/> buffer.</param>
         /// <param name="uriParts">The URI parts.</param>

src/ImageSharp.Web/HMACUtilities.cs

@@ -4,9 +4,9 @@
 using System;
 using System.Buffers;
 using System.Runtime.CompilerServices;
-using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Text;
+using SixLabors.ImageSharp.Web.Caching;
 
 namespace SixLabors.ImageSharp.Web
 {
@@ -15,55 +15,82 @@ namespace SixLabors.ImageSharp.Web
     /// </summary>
     public static class HMACUtilities
     {
+        /// <summary>
+        /// The command used by image requests for transporting Hash-based Message Authentication Code (HMAC) tokens.
+        /// </summary>
+        public const string TokenCommand = "hmac";
+
         /// <summary>
         /// Computes a Hash-based Message Authentication Code (HMAC) by using the SHA256 hash function.
         /// </summary>
         /// <param name="value">The value to hash</param>
         /// <param name="secret">
-        /// The secret key for <see cref="HMACSHA256"/>encryption.
+        /// The secret key for <see cref="HMACSHA256"/> encryption.
         /// The key can be any length. However, the recommended size is 64 bytes.
         /// </param>
         /// <returns>The hashed <see cref="string"/>.</returns>
-        public static unsafe string CreateSHA256HashCode(string value, byte[] secret)
+        public static unsafe string ComputeHMACSHA256(string value, byte[] secret)
         {
-            static void Action(Span<char> chars, (IntPtr Ptr, int Length, string Value, byte[] Secret) args)
-            {
-                var bytes = new Span<byte>((byte*)args.Ptr, args.Length);
-                Encoding.ASCII.GetBytes(args.Value, bytes);
-                using var hashAlgorithm = new HMACSHA256(args.Secret);
-                hashAlgorithm.TryComputeHash(bytes, MemoryMarshal.Cast<char, byte>(chars), out int _);
-            }
+            // TODO: In .NET 6 we can use single instance versions
+            using var hmac = new HMACSHA256(secret);
+            return CreateHMAC(value, hmac);
+        }
 
-            // Bits to chars - 256/8/2
-            return CreateHMAC(value, secret, 16, Action);
+        /// <summary>
+        /// Computes a Hash-based Message Authentication Code (HMAC) by using the SHA384 hash function.
+        /// </summary>
+        /// <param name="value">The value to hash</param>
+        /// <param name="secret">
+        /// The secret key for <see cref="HMACSHA256"/> encryption.
+        /// The key can be any length. However, the recommended size is 128 bytes.
+        /// </param>
+        /// <returns>The hashed <see cref="string"/>.</returns>
+        public static unsafe string ComputeHMACSHA384(string value, byte[] secret)
+        {
+            using var hmac = new HMACSHA384(secret);
+            return CreateHMAC(value, hmac);
+        }
+
+        /// <summary>
+        /// Computes a Hash-based Message Authentication Code (HMAC) by using the SHA512 hash function.
+        /// </summary>
+        /// <param name="value">The value to hash</param>
+        /// <param name="secret">
+        /// The secret key for <see cref="HMACSHA256"/> encryption.
+        /// The key can be any length. However, the recommended size is 128 bytes.
+        /// </param>
+        /// <returns>The hashed <see cref="string"/>.</returns>
+        public static unsafe string ComputeHMACSHA512(string value, byte[] secret)
+        {
+            using var hmac = new HMACSHA512(secret);
+            return CreateHMAC(value, hmac);
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        private static unsafe string CreateHMAC(string value, byte[] secret, int length, SpanAction<char, (IntPtr Ptr, int Length, string Value, byte[] Secret)> action)
+        private static unsafe string CreateHMAC(string value, HMAC hmac)
         {
             int byteCount = Encoding.ASCII.GetByteCount(value);
-
-            // Allocating a buffer from the pool is ~27% slower than stackalloc so use that for short strings
-            if (byteCount < 257)
-            {
-                fixed (byte* bytesPtr = stackalloc byte[byteCount])
-                {
-                    return string.Create(length, ((IntPtr)bytesPtr, byteCount, value, secret), action);
-                }
-            }
-
             byte[] buffer = null;
+
             try
             {
-                buffer = ArrayPool<byte>.Shared.Rent(byteCount);
-                fixed (byte* bytesPtr = buffer.AsSpan(0, byteCount))
-                {
-                    return string.Create(length, ((IntPtr)bytesPtr, byteCount, value, secret), action);
-                }
+                // Allocating a buffer from the pool is ~27% slower than stackalloc so use that for short strings
+                Span<byte> bytes = byteCount <= 128
+                    ? stackalloc byte[byteCount]
+                    : (buffer = ArrayPool<byte>.Shared.Rent(byteCount)).AsSpan(0, byteCount);
+
+                Encoding.ASCII.GetBytes(value, bytes);
+
+                // Safe to always stackalloc here. We max out at 64 bytes.
+                Span<byte> hash = stackalloc byte[hmac.HashSize / 8];
+                hmac.TryComputeHash(bytes, hash, out int _);
+
+                // Finally encode the hash to make it web safe.
+                return HexEncoder.Encode(hash);
             }
             finally
             {
-                if (buffer != null)
+                if (buffer is not null)
                 {
                     ArrayPool<byte>.Shared.Return(buffer);
                 }

src/ImageSharp.Web/Middleware/ImageSharpMiddleware.cs

@@ -191,9 +191,18 @@ public ImageSharpMiddleware(
 
         private async Task Invoke(HttpContext httpContext, bool retry)
         {
-            // We expect to get concrete collection type which removes virtual dispatch concerns and enumerator allocations
             CommandCollection commands = this.requestParser.ParseRequestCommands(httpContext);
 
+            // First check for a HMAC token and capture before the command is stripped out.
+            byte[] secret = this.options.HMACSecretKey;
+            bool doHMAC = false;
+            string token = null;
+            if (secret?.Length > 0)
+            {
+                doHMAC = true;
+                token = commands.GetValueOrDefault(HMACUtilities.TokenCommand);
+            }
+
             if (commands.Count > 0)
             {
                 // Strip out any unknown commands, if needed.
@@ -211,8 +220,22 @@ private async Task Invoke(HttpContext httpContext, bool retry)
                 }
             }
 
-            await this.options.OnParseCommandsAsync.Invoke(
-                new ImageCommandContext(httpContext, commands, this.commandParser, this.parserCulture));
+            ImageCommandContext imageCommandContext = new(httpContext, commands, this.commandParser, this.parserCulture);
+
+            if (doHMAC)
+            {
+                // Compare the passed token to our generated mac.
+                string mac = await this.options.OnComputeHMACAsync(imageCommandContext, secret);
+                if (mac != token)
+                {
+                    // Throw a 401. We don't log the error to avoid attempts at log poisoning.
+                    httpContext.Response.Clear();
+                    httpContext.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                    return;
+                }
+            }
+
+            await this.options.OnParseCommandsAsync.Invoke(imageCommandContext);
 
             // Get the correct service for the request
             IImageProvider provider = null;

src/ImageSharp.Web/Middleware/ImageSharpMiddlewareOptions.cs

@@ -7,7 +7,6 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.IO;
 using SixLabors.ImageSharp.Web.Commands;
-using SixLabors.ImageSharp.Web.Processors;
 using SixLabors.ImageSharp.Web.Providers;
 
 namespace SixLabors.ImageSharp.Web.Middleware
@@ -17,40 +16,18 @@ namespace SixLabors.ImageSharp.Web.Middleware
     /// </summary>
     public class ImageSharpMiddlewareOptions
     {
-        private Func<ImageCommandContext, Task> onParseCommandsAsync = c =>
+        private Func<ImageCommandContext, byte[], Task<string>> onComputeHMACAsync = (context, secret) =>
         {
-            if (c.Commands.Count == 0)
-            {
-                return Task.CompletedTask;
-            }
-
-            // It's a good idea to have this to provide very basic security.
-            uint width = c.Parser.ParseValue<uint>(
-                c.Commands.GetValueOrDefault(ResizeWebProcessor.Width),
-                c.Culture);
-
-            uint height = c.Parser.ParseValue<uint>(
-                c.Commands.GetValueOrDefault(ResizeWebProcessor.Height),
-                c.Culture);
-
-            if (width > 4000 && height > 4000)
-            {
-                c.Commands.Remove(ResizeWebProcessor.Width);
-                c.Commands.Remove(ResizeWebProcessor.Height);
-            }
-
-            float[] coordinates = c.Parser.ParseValue<float[]>(c.Commands.GetValueOrDefault(ResizeWebProcessor.Xy), c.Culture);
-
-            if (coordinates.Length != 2
-            || coordinates[1] < 0 || coordinates[1] > 1
-            || coordinates[0] < 0 || coordinates[0] > 1)
-            {
-                c.Commands.Remove(ResizeWebProcessor.Xy);
-            }
+            string uri = CaseHandlingUriBuilder.BuildRelative(
+                 CaseHandlingUriBuilder.CaseHandling.LowerInvariant,
+                 context.Context.Request.PathBase,
+                 context.Context.Request.Path,
+                 QueryString.Create(context.Commands));
 
-            return Task.CompletedTask;
+            return Task.FromResult(HMACUtilities.ComputeHMACSHA256(uri, secret));
         };
 
+        private Func<ImageCommandContext, Task> onParseCommandsAsync = _ => Task.CompletedTask;
         private Func<FormattedImage, Task> onBeforeSaveAsync = _ => Task.CompletedTask;
         private Func<ImageProcessingContext, Task> onProcessedAsync = _ => Task.CompletedTask;
         private Func<HttpContext, Task> onPrepareResponseAsync = _ => Task.CompletedTask;
@@ -98,6 +75,30 @@ public class ImageSharpMiddlewareOptions
         /// </summary>
         public uint CacheHashLength { get; set; } = 12;
 
+        /// <summary>
+        /// Gets or sets the secret key for Hash-based Message Authentication Code (HMAC) encryption.
+        /// </summary>
+        /// <remarks>
+        /// The key can be any length. However, the recommended size is at least 64 bytes. If the length is zero then no authentication is performed.
+        /// </remarks>
+        public byte[] HMACSecretKey { get; set; } = Array.Empty<byte>();
+
+        /// <summary>
+        /// Gets or sets the method used to compute a Hash-based Message Authentication Code (HMAC) for request authentication.
+        /// Defaults to <see cref="HMACUtilities.ComputeHMACSHA256(string, byte[])"/> using an invariant lowercase relative Uri
+        /// generated using <see cref="CaseHandlingUriBuilder.BuildRelative(CaseHandlingUriBuilder.CaseHandling, PathString, PathString, QueryString)"/>.
+        /// </summary>
+        public Func<ImageCommandContext, byte[], Task<string>> OnComputeHMACAsync
+        {
+            get => this.onComputeHMACAsync;
+
+            set
+            {
+                Guard.NotNull(value, nameof(this.onComputeHMACAsync));
+                this.onComputeHMACAsync = value;
+            }
+        }
+
         /// <summary>
         /// Gets or sets the additional command parsing method that can be used to used to augment commands.
         /// This is called once the commands have been gathered and before an <see cref="IImageProvider"/> has been assigned.