Implement limits to image size and load times (#1790)

* Implement limits to image size and load times - Prevents issues caused by users attempting to load large images - Implements #1729 * Check dimensions given before attempting to load image
2025-07-05 12:36:40 +00:00 · 2022-06-13 08:04:59 +01:00
parent 8377b0987c
commit 02a6bb9b27
4 changed files with 49 additions and 9 deletions
--- a/worldedit-core/src/main/java/com/sk89q/worldedit/command/GenerationCommands.java
+++ b/worldedit-core/src/main/java/com/sk89q/worldedit/command/GenerationCommands.java
@ -21,7 +21,9 @@ package com.sk89q.worldedit.command;

 import com.fastasyncworldedit.core.Fawe;
 import com.fastasyncworldedit.core.configuration.Caption;
+import com.fastasyncworldedit.core.configuration.Settings;
 import com.fastasyncworldedit.core.function.generator.CavesGen;
+import com.fastasyncworldedit.core.internal.exception.FaweException;
 import com.fastasyncworldedit.core.util.MainUtil;
 import com.fastasyncworldedit.core.util.MaskTraverser;
 import com.fastasyncworldedit.core.util.MathMan;
@ -65,6 +67,11 @@ import java.awt.image.BufferedImage;
 import java.io.IOException;
 import java.net.URL;
 import java.util.List;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;

 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.sk89q.worldedit.command.util.Logging.LogMode.ALL;
@ -587,12 +594,34 @@ public class GenerationCommands {
        if (!url.getHost().equalsIgnoreCase("i.imgur.com")) {
            throw new IOException("Only i.imgur.com links are allowed!");
        }
-        BufferedImage image = MainUtil.readImage(url);
        if (dimensions != null) {
-            image = ImageUtil.getScaledInstance(image, dimensions.getBlockX(), dimensions.getBlockZ(),
-                    RenderingHints.VALUE_INTERPOLATION_BILINEAR, false
+            checkCommandArgument(
+                    (long) dimensions.getX() * dimensions.getZ() <= Settings.settings().WEB.MAX_IMAGE_SIZE,
+                    Caption.of("fawe.error.image-dimensions", Settings.settings().WEB.MAX_IMAGE_SIZE)
            );
        }
+        ExecutorService executor = Executors.newSingleThreadExecutor();
+        Future<BufferedImage> future = executor.submit(() -> {
+            BufferedImage image = MainUtil.readImage(url);
+            if (dimensions != null) {
+                image = ImageUtil.getScaledInstance(image, dimensions.getBlockX(), dimensions.getBlockZ(),
+                        RenderingHints.VALUE_INTERPOLATION_BILINEAR, false
+                );
+            }
+            return image;
+        });
+        BufferedImage image;
+        try {
+            image = future.get(Settings.settings().WEB.MAX_IMAGE_LOAD_TIME, TimeUnit.SECONDS);
+        } catch (InterruptedException | TimeoutException ignored) {
+            actor.printError(Caption.of("fawe.web.image.load.timeout", Settings.settings().WEB.MAX_IMAGE_LOAD_TIME));
+            return;
+        } catch (Throwable t) {
+            if (t.getCause() instanceof FaweException faweException) {
+                throw faweException;
+            }
+            throw new IOException(t.getCause());
+        }

        BlockVector3 pos1 = session.getPlacementPosition(actor);
        BlockVector3 pos2 = pos1.add(image.getWidth() - 1, 0, image.getHeight() - 1);