A small but handy package to prevent malicious code execution coming into your application through uploaded image files.
laravel-at/laravel-image-sanitize is a Laravel package for a small but handy package to prevent malicious code execution coming into your application through uploaded image files..
It currently has 326 GitHub stars and 65.833 downloads on Packagist (latest version v5.0.0).
Install it with composer require laravel-at/laravel-image-sanitize.
Discover more Laravel packages by laravel-at
or browse all Laravel packages to compare alternatives.
Last updated
This is a small but handy package to prevent malicious code execution coming into your application through uploaded images. It was created after being inspired by @appelsiini's talk on How to Hack your Laravel Application
This version requires PHP 8.3+, Laravel 12 or 13, and Intervention Image 4.
You can install the package via composer:
composer require laravel-at/laravel-image-sanitize
Apply the middleware to routes that receive image uploads:
use App\Http\Controllers\FileController;
use LaravelAt\ImageSanitize\ImageSanitizeMiddleware;
Route::post('/files', [FileController::class, 'upload'])
->name('file.upload')
->middleware(ImageSanitizeMiddleware::class);
If you prefer a middleware alias, register it in your application's bootstrap/app.php file:
use Illuminate\Foundation\Configuration\Middleware;
use LaravelAt\ImageSanitize\ImageSanitizeMiddleware;
->withMiddleware(function (Middleware $middleware): void {
$middleware->alias([
'image-sanitize' => ImageSanitizeMiddleware::class,
]);
})
Then use the alias on your upload routes:
Route::post('/files', [FileController::class, 'upload'])
->name('file.upload')
->middleware('image-sanitize');
If you want to learn more about middlewares, please check out the official Laravel documentation.
You may publish the configuration file:
php artisan vendor:publish --tag=image-sanitize-config
The default configuration scans JPEG, PNG, GIF, BMP, and WebP uploads for suspicious byte patterns, then re-encodes matching images through Intervention Image. SVG files are not supported by default.
return [
'allowed_mime_types' => [
'image/jpeg',
'image/png',
'image/gif',
'image/bmp',
'image/webp',
],
'patterns' => [
'<?php',
'phar',
],
'driver' => \Intervention\Image\Drivers\Gd\Driver::class,
'quality' => 100,
'auto_orientation' => true,
'decode_animation' => true,
'strip_metadata' => true,
];
You can also use the facade directly:
if (ImageSanitize::detect($contents)) {
$contents = (string) ImageSanitize::sanitize($contents);
}
composer test
Run the full local quality check:
composer check
Or run the individual checks:
composer format-test
composer analyse
composer test
Please see CHANGELOG for more information on what has changed recently.
Please see CONTRIBUTING for details.
If you discover any security related issues, please email [email protected] instead of using the issue tracker.
The MIT License (MIT). Please see License File for more information.
