[caltrops]

I’d be very worried about a security issue with the unsafe C++ code.

You really have to run this kind of complex parsing in a disposable containerized environment to do it safely. Or do everything carefully and in a memory safe language.

[bri3d]

I'm not sure why this is being downvoted - image processing is one of the most dangerous parts of a common consumer-facing web software stack. By and large this is because image container formats are poorly documented, overly broad, and rely on a lot of tricky binary parsing that's easy to mess up in an unsafe programming language. It's also one of the most obvious ingress points for untrusted binary data uploaded by an end-user, which is always going to be dangerous.

See the persistent, years-long trend where mobile devices and game consoles get exploited via some combination of libtiff and libpng.

[Impossible]

The downvotes are also because it's a somewhat cliche comment on HN now. Anytime anyone is doing any with C or C++ that is even indirectly web facing, "this could be unsafe!!!" is an obligatory comment, even though all major tech companies have core components written in C++, and there are big web apps that have been running for years that are mostly written in C or C++. Security is definitely a concern, but these kind of comments can derail interesting discussion, in the same way complaining about font readability or template choice in an otherwise interesting article can.

[caltrops]

This isn’t one of those. Handing large amounts of unvalidated user input to these libraries is particularly dangerous.

[fleitz]

To be fair most everything under the hood passes through to these libraries. So even sticking with python means passing unvalidated blobs through to libpng/jpeg/tiff or some other low level language.

It's the entire reason python is generally fast enough, anything that's slow generally uses a C lib under the hood anyway.

[CyberDildonics]

Where is the assumption coming from that it hasn't been validated?

[searealist]

Unvalidated user input? What are you talking about, this is about image resizing. Your buzzwords make no sense.

[LambdaComplex]

Yes, and images are user input in this case

[pmelendez]

True (and I didn't downvote by the way), but a "memory safe" language might not be as helpful as people might think. Most of memory managed languages still rely on native libraries to perform image processing, if at the end you are using libpng and there is an exploit on it, it doesn't matter if you are using python or C++, both code base would have the same exploit if it is not explicitly mitigated in the logic.

[GuB-42]

The downvote is probably because the comment implied that the issue is that the image processing is done in "unsafe" C++ and that another language should have been used.

However, there isn't much choice. Performance is very important in image processing, so much that many libraries contain hand-written assembly. In the article, it says that 90% of processing power is dedicated to it. Using a safer language in a safe way could completely kill performance and significantly increase the costs.

[caltrops]

How much does a hack of all your data and/or a major outage cost?

I also recommended a mitigation strategy for unsafe code. Complaining that security is too hard is the reason for the situation we find ourselves in as an industry.

[abiox]

> How much does a hack of all your data and/or a major outage cost?

seems to vary wildly. for some, it's not that expensive.

[jcelerier]

>How much does a hack of all your data and/or a major outage cost?

How much indeed ? What was the last time ? Ah, yes, Equifax. What happened ? Nothing.

[abiox]

> I'm not sure why this is being downvoted

if i was a betting person, i'd wager that it may see somewhat like "rewrite it in rust" cargo culting.

[Franciscouzo]

Except those would be upvoting it...

[hemancuso]

I'd love to be pointed at any resource where somebody who has spent the time walks through the best way to do this safely. Is the only way to do it safely inside a container via some networked connection? Are there other ways to lock down ImageMagick etc such that you can resize safely?

[searealist]

This has nothing to do with parsing.

Also, your life must be very stressful.