C# MVC: Encoding a png, jpg, or pdf return value to prevent XSS

Question

Suppose I have an C# MVC app which has a controller method that returns one of 3 content types: image png, image jpeg, or application pdf. I have read that it is possible to have images that contain XSS payloads. What would be the best way to Encode/escape these return contents so they aren't vulnerable to XSS? The controller method looks like this:

string contentType = "image/png";
                    MemoryStream mem = new MemoryStream();
                    if (ImageFormat == null || ImageFormat == "")
                    {
                        image.Save(mem, System.Drawing.Imaging.ImageFormat.Png);
                    }
                    else
                    {
                        if (ImageFormat.ToUpper() == "PNG") image.Save(mem, System.Drawing.Imaging.ImageFormat.Png);
                        if (ImageFormat.ToUpper() == "JPEG")
                        {
                            image.Save(mem, System.Drawing.Imaging.ImageFormat.Jpeg);
                            contentType = "image/jpeg";
                        }
                    }
                    mem.Position = 0;
                    mem.Seek(0, SeekOrigin.Begin);
                    return this.Image(mem, contentType);

Where Image is defined the following class here:

using …

    namespace x.Classes
    {
        public static class ControllerExtensions
        {
            public static ImageResult Image(this Controller controller, Stream imageStream, string contentType)
            {
                return new ImageResult(imageStream, contentType);
            }        
       }
    }

And the OutputStream is written to using:

using …
namespace x.Classes
{
    public class ImageResult : ActionResult
    {
        public ImageResult(Stream imageStream, string contentType)
        {
            if (imageStream == null)
                throw new ArgumentNullException("imageStream");
            if (contentType == null)
                throw new ArgumentNullException("contentType");
           this.ImageStream = imageStream;
           this.ContentType = contentType;
       }
       public Stream ImageStream { get; private set; }
       public string ContentType { get; private set; }
       public override void ExecuteResult(ControllerContext context)
       {
           if (context == null)
               throw new ArgumentNullException("context");
           HttpResponseBase response = context.HttpContext.Response;
           response.ContentType = this.ContentType;
           byte[] buffer = new byte[4096];
           while (true)
           {
               int read = this.ImageStream.Read(buffer, 0, buffer.Length);
               if (read == 0)
                   break;
               response.OutputStream.Write(buffer, 0, read);
           }
           response.End();
       }
   }
}

Is there a way for me to escape/encode the buffer that is getting written to the OutputStream here:`

response.OutputStream.Write(buffer, 0, read);

To protect against XSS attacks? For example if this were HTML that was being returned:

response.OutputStream.Write(HttpUtility.HtmlEncode(buffer), 0, read);

But we know we are returning a jpeg, pdf, or png which means Html encode won't work here. So what do we use to safely escape/encode an image/pdf?

Answer 1

By the time you have buffer ready, it's too late. The same as with HTML, you want to context-sensitively encode any user input in those files, not the whole thing.

Now, with images this doesn't make much sense in the context of XSS, an image is rendered by an image renderer, and not as html, so there won't be any javascript to be run. The general best practice for uploaded images is to process them on the server and save them as a new image, because this removes all unnecessary things, but it has its risks as well if your processor itself is the target of an attack.

SVG for example is a different beast, SVG can have code in it, as can PDF. But again, PDFs will be open on the client with a PDF viewer, not in the context of the web application even if the PDF viewer is the browser itself (the browser hopefully separates Javascript in the PDF from the web page even if the origin is the same).

But javascript in a PDF can still be an issue for the client. Javascript running in a PDF may do harmful things, the simplest of which is consume client resources (ie. DoS of some sort), or it may try to break out of the PDF context somehow exploiting a viewer vulnerability. So the attack would be that one user uploads a malicious PDF for others to download. I think the best you can do against this is scan uploaded files for malware (which you should do anyway).

If you are generating all of this from user input (images, PDFs), then the libraries you use should take care of properly encoding values so that a malicious user can't inject code in a PDF. When the PDF is already generated, you can't "fix" it anymore, user input is mixed with code.

Also make sure to set the following header in responses (along with the correct Content-Type of course): X-Content-Type-Options: nosniff

Answer 2

You do not need to encode the images themselves, you need to encode/escape the links to the images.

For example:

<a href="image.url.png?logout">Link Title</a>

where image.url.png?logout comes from user input.

You would url encode image.url.png?logout as image.url.png%3Flogout so that it is rendered useless to an attacker.