6

Stop spammers from abusing ImageProcessor to flood your Umbraco 8 logs

 3 years ago
source link: https://dev.to/skttl/stop-spammers-from-abusing-imageprocessor-to-flood-your-umbraco-8-logs-2c5m
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client
Cover image for Stop spammers from abusing ImageProcessor to flood your Umbraco 8 logs
Søren Kottal

Posted on Mar 15

Stop spammers from abusing ImageProcessor to flood your Umbraco 8 logs

I have a bunch of client projects, where I started seeing error logs mentioning ImageProcessor like
ImageProcessor.Common.Exceptions.ImageProcessingException: ProcessImageAsync 609 : Not Found or ImageProcessor.Common.Exceptions.ImageProcessingException: ProcessImageAsync 609 : No image exists at C:\home\site\wwwroot\test.jpg

I found out, that every time you request an image, with querystring parameters triggering ImageProcessor - like width, height, format and so forth - ImageProcessor will log an error in your tracelogs like the above if the image is not found.

At first, I didn't care, I had rather good control over which images were requested with ImageProcessor parameters, so a quick broken link check later, and no broken image urls were left.

But one project kept logging these errors. Apparently, someone was deeplinking to non-existing images with parameters triggering ImageProcessor. And the log files were getting enormous, with all the error messages from ImageProcessor. Something needed to be done.

I could have turned off logging completely, but then I would miss valuable logs about other stuff in the project, so I asked in the community Discord channel.

It wasn't long before the always helpful Sebastiaan Janssen suggested adding a filter to the log settings, to filter them out. What a simple and brilliant way of controlling this.

So now, I have added the following to the projects Serilog config file, found in /config/serilog.config:

<configuration>
    <appSettings>
        <add key="serilog:minimum-level:override:ImageProcessor.Web.HttpModules.ImageProcessingModule" value="Fatal" />
    </appSettings>
</configuration>

Enter fullscreen mode

Exit fullscreen mode

This setting tells Serilog that messages from ImageProcessor.Web.HttpModules.ImageProcessingModule should only be recorded when their level is at least Fatal. And since Fatal is higher than Error, I no longer get those exceptions.

You can get the same effect in Umbraco 7 too

Umbraco 7 uses log4net for logging instead of Serilog which is used in Umbraco 8, so the above example can't be used for Umbraco 7. However, Matthew Hart jumped into the Discord conversation and suggested the following config setting for the log4net config in Umbraco 7 (located in /config/log4net.config), in case you have a similar problem on that version.

<log4net>
    <appender name="rollingFile" type="log4net.Appender.RollingFileAppender">
        <filter type="log4net.Filter.LoggerMatchFilter">
            <loggerToMatch value="ImageProcessor.Web" />
            <acceptOnMatch value="false" />
        </filter>
    </appender>
</log4net>

Enter fullscreen mode

Exit fullscreen mode

Another usecase for log filtering

The config also revealed to me, that I could create a filter, letting Debug messages from my own code be recorded, while keeping the general level at Info or Warning.

Thus, making it possible for me to actually find the debug messages from my own code when needed, without being buried in the huge pile of debug messages from all other parts of the project. Win-win!


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK