Skip to content
  • Matthew Fernandez's avatar
    add a pre-processor script for downloading external images · af8a77c4
    Matthew Fernandez authored
    A consistent request from Graphviz users has been the ability to use external
    URLs in `image` attributes. While this is a perfectly reasonable requirement, it
    is unclear how to implement this feature safely. Graphviz is a large, 40+ year
    old code base, written in a memory unsafe language, that has proliferated
    throughout the computing ecosystem. Adding the ability to make network requests
    and download (potentially untrusted) content from the internet seems to
    dramatically expand the Graphviz attack surface, something that may not be clear
    to sysadmins around the world when they update Graphviz on their systems and
    unwittingly acquire this functionality.
    
    This commit takes an alternative, more conservative approach. The included
    script can be used as a pre-processor, sitting in front of Graphviz itself. It
    deals with external resources, allowing Graphviz to then see input with only
    local image references.
    
    Note that this script, in addition to being used standalone on the command line,
    can be used programmatically:
    
      import tempfile
      from pathlib import Path
      from dot_url_resolve import resolve
    
      with open("my-graph.dot", "rt") as src:
        with open("my-translated-graph.dot", "wt") as dst:
          tmp = Path(tempfile.mkdtemp())
          resolve(src, dst, tmp)
    
    Gitlab: closes #1664
    Reported-by: Wolfgang Fahl
    af8a77c4