security - Image sanitization library

Question

I have a website that displays images submitted by users. I am concerned about some wiseguy uploading an image which may exploit some 0-day vulnerability in a browser rendering engine. Moreover, I would like to purge images of metadata (like EXIF data), and attempt to compress them further in a lossless manner (there are several such command line utilities for PNG and JPEG).

With the above in mind, my question is as follows: is there some C/C++ library out there that caters to the above scenario? And even if the full pipeline of parsing -> purging -> sanitizing -> compressing -> writing is not available in any single library, can I at least implement the parsing -> purging -> sanitizing -> writing pipeline (without compressing) in a library that supports JPEG/PNG/GIF?

Answer 1

Your requirement is impossible to fulfill: if there is a 0-day vulnerability in one of the image reading libraries you use, then your code may be exploitable when it tries to parse and sanitize the incoming file. By "presanitizing" as soon as the image is received, you'd just be moving the point of exploitation earlier rather than later.

The only thing that would help is to parse and sanitize incoming images in a sandbox, so that, at least, if there was a vulnerability, it would be contained to the sandbox. The sandbox could be a separate process running as an unprivileged user in a chroot environment (or VM, for the very paranoid), with an interface consisting only of bytestream in, sanitized image out.

The sanitization itself could be as simple as opening the image with ImageMagick, decoding it to a raster, and reencoding and emitting them in a standard format (say, PNG or JPEG). Note that if the input and output are both lossy formats (like JPEG) then this transformation will be lossy.