Security review: No vulnerabilities found

Security analysis completed - whitelist approach with proper input validation Co-authored-by: yeelam-gordon <73506701+yeelam-gordon@users.noreply.github.com>
Code review: Update null check to modern C++ convention
2026-02-05 19:00:07 +01:00 · 2026-02-05 15:24:23 +00:00 · 2026-02-05 15:23:47 +00:00 · 2026-02-05 15:23:04 +00:00 · 2026-02-05 15:20:17 +00:00 · 2026-02-05 15:17:01 +00:00
4 changed files with 57 additions and 0 deletions
--- a/1
+++ b/1
@@ -0,0 +1 @@
+.
--- a/src/modules/imageresizer/ImageResizerContextMenu/dllmain.cpp
+++ b/src/modules/imageresizer/ImageResizerContextMenu/dllmain.cpp
@@ -13,6 +13,7 @@
 #include <common/utils/resources.h>
 #include <Settings.h>
 #include <trace.h>
+#include <ImageResizerConstants.h>

 #include <wil/win32_helpers.h>
 #include <wrl/module.h>
@@ -120,6 +121,16 @@ public:
            return E_FAIL;
        }

+        // Check if the extension is actually supported by Image Resizer
+        // This prevents showing the menu for file types like .psd that Windows
+        // perceives as images but Image Resizer cannot process
+        if (!ImageResizerConstants::IsSupportedImageExtension(pszExt))
+        {
+            CoTaskMemFree(pszPath);
+            *cmdState = ECS_HIDDEN;
+            return S_OK;
+        }
+
        // TODO: Instead, detect whether there's a WIC codec installed that can handle this file
        AssocGetPerceivedType(pszExt, &type, &flag, NULL);

--- a/src/modules/imageresizer/ImageResizerLib/ImageResizerConstants.h
+++ b/src/modules/imageresizer/ImageResizerLib/ImageResizerConstants.h
@@ -1,5 +1,7 @@
 #pragma once
 #include <string>
+#include <vector>
+#include <algorithm>

 namespace ImageResizerConstants
 {
@@ -10,4 +12,27 @@ namespace ImageResizerConstants
    inline const std::wstring ModuleOldSaveFolderKey = L"ImageResizer";
    inline const std::wstring ModuleSaveFolderKey = L"Image Resizer";
    inline const std::wstring ModulePackageDisplayName = L"ImageResizerContextMenu";
+
+    // List of supported image extensions that Image Resizer can process
+    // This must match the list in RuntimeRegistration.h
+    // Note: All extensions must be in lowercase for case-insensitive comparison
+    inline const std::vector<std::wstring> SupportedImageExtensions = {
+        L".bmp", L".dib", L".gif", L".jfif", L".jpe", L".jpeg", L".jpg", 
+        L".jxr", L".png", L".rle", L".tif", L".tiff", L".wdp"
+    };
+
+    // Helper function to check if a file extension is supported by Image Resizer
+    inline bool IsSupportedImageExtension(LPCWSTR extension)
+    {
+        if (extension == nullptr || wcslen(extension) == 0)
+        {
+            return false;
+        }
+
+        // Convert to lowercase for case-insensitive comparison
+        std::wstring ext(extension);
+        std::transform(ext.begin(), ext.end(), ext.begin(), ::towlower);
+
+        return std::find(SupportedImageExtensions.begin(), SupportedImageExtensions.end(), ext) != SupportedImageExtensions.end();
+    }
 }
--- a/src/modules/imageresizer/dll/ContextMenuHandler.cpp
+++ b/src/modules/imageresizer/dll/ContextMenuHandler.cpp
@@ -5,6 +5,7 @@

 #include <Settings.h>
 #include <trace.h>
+#include <ImageResizerConstants.h>

 #include <common/themes/icon_helpers.h>
 #include <common/utils/process_path.h>
@@ -97,6 +98,15 @@ HRESULT CContextMenuHandler::QueryContextMenu(_In_ HMENU hmenu, UINT indexMenu,
        return E_FAIL;
    }

+    // Check if the extension is actually supported by Image Resizer
+    // This prevents showing the menu for file types like .psd that Windows
+    // perceives as images but Image Resizer cannot process
+    if (!ImageResizerConstants::IsSupportedImageExtension(pszExt))
+    {
+        free(pszPath);
+        return S_OK;
+    }
+
    // TODO: Instead, detect whether there's a WIC codec installed that can handle this file
    AssocGetPerceivedType(pszExt, &type, &flag, NULL);

@@ -417,6 +427,16 @@ HRESULT __stdcall CContextMenuHandler::GetState(IShellItemArray* psiItemArray, B
        return E_FAIL;
    }

+    // Check if the extension is actually supported by Image Resizer
+    // This prevents showing the menu for file types like .psd that Windows
+    // perceives as images but Image Resizer cannot process
+    if (!ImageResizerConstants::IsSupportedImageExtension(pszExt))
+    {
+        CoTaskMemFree(pszPath);
+        *pCmdState = ECS_HIDDEN;
+        return S_OK;
+    }
+
    // TODO: Instead, detect whether there's a WIC codec installed that can handle this file
    AssocGetPerceivedType(pszExt, &type, &flag, NULL);
Author	SHA1	Message	Date
copilot-swe-agent[bot]	5ac509ab2b	Security review: No vulnerabilities found Security analysis completed - whitelist approach with proper input validation Co-authored-by: yeelam-gordon <73506701+yeelam-gordon@users.noreply.github.com>	2026-02-05 15:24:23 +00:00
copilot-swe-agent[bot]	e8afe02adf	Code review: Update null check to modern C++ convention - Use modern convention (extension == nullptr) for better readability - Add clarifying comment about lowercase requirement in extension list Co-authored-by: yeelam-gordon <73506701+yeelam-gordon@users.noreply.github.com>	2026-02-05 15:23:47 +00:00
copilot-swe-agent[bot]	8da754c1b6	Refactor: Move supported extensions to shared constants file - Move extension list and validation function to ImageResizerConstants.h - Eliminate code duplication between MSI and MSIX handlers - Single source of truth for supported extensions Co-authored-by: yeelam-gordon <73506701+yeelam-gordon@users.noreply.github.com>	2026-02-05 15:23:04 +00:00
copilot-swe-agent[bot]	92fe5b531e	Fix Image Resizer context menu appearing for unsupported file types like PSD - Add extension whitelist check in both MSI and MSIX context menu handlers - Validate file extensions against supported list before showing menu - Prevents context menu from appearing for .psd and other unsupported formats Co-authored-by: yeelam-gordon <73506701+yeelam-gordon@users.noreply.github.com>	2026-02-05 15:20:17 +00:00
copilot-swe-agent[bot]	71d55ac50f	Initial plan	2026-02-05 15:17:01 +00:00