6.3 - Image filter - blocking images

The images we are talking about here are the ones that are uploaded to the application from the user side as profile pictures, banners, cover pictures, folder pictures, etc. These are the images we need to sanitize and ensure that only a valid image is being uploaded and not anything else.
LFI - An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.

RFI - Using remote file inclusion (RFI), an attacker can cause the web application to include a remote file. This is possible for web applications that dynamically include external files or scripts. Potential web security consequences of a successful RFI attack range from sensitive information disclosure and Cross-site Scripting (XSS) to remote code execution and, as a final result, full system compromise. Remote file inclusion attacks usually occur when an application receives a path to a file as input for a web page and does not properly sanitize it. This allows an external URL to be supplied to the include function.

Code execution via file upload - we upload a file which is run by the server and the commands in the file are executed from the server. These can be any commands from deleting folders to opening a backdoor.

XSS via svg - svg files can be used to xss the application. We will see more how in the later slides.

Another thing that can happen even if the image is valid type is that the attacker can upload an image of, say, 30,000 x 30,000 dimensions and 50Mb in size. That will put load on your server for atleast 1 minute. That means he can crash your server (image server). So this is also an issue which is to be fixed.
So now we will look at an image filter which blocks images that are uploaded whose size, height and width are limited in ruby on rails.