Apply tile byte cap to local files + SSRF hardening on HTTP geotiff reads (#1664)

docs/source/reference/geotiff.rst

@@ -21,6 +21,59 @@ Writing
     xrspatial.geotiff.write_geotiff_gpu
     xrspatial.geotiff.write_vrt
 
+Security and I/O limits
+=======================
+
+``open_geotiff`` and the underlying reader enforce several limits to
+keep crafted or hostile inputs from exhausting memory or reaching
+internal network targets. All limits have safe defaults; advanced users
+can override them via environment variables.
+
+Per-tile / per-strip compressed-byte cap
+----------------------------------------
+
+A crafted TIFF can declare arbitrarily large ``TileByteCounts`` or
+``StripByteCounts``. Both the HTTP fetcher (which would issue a Range
+GET sized by the attacker's value) and the local-file decoder (where a
+small compressed slice can balloon under deflate / zstd / lzw) reject
+any tile or strip whose declared size exceeds the cap.
+
+* Default: 256 MiB
+* Override: ``XRSPATIAL_COG_MAX_TILE_BYTES`` (positive integer, bytes).
+  Non-integer, empty, zero, or negative values are ignored and fall back
+  to the default. Set above your largest legitimate tile or strip size.
+* Exception: ``ValueError`` ("safety cap")
+
+HTTP SSRF defenses
+------------------
+
+When ``open_geotiff`` is given an ``http://`` or ``https://`` URL, the
+reader rejects URLs that would let a service-side caller probe internal
+infrastructure. Other ``scheme://`` strings are dispatched through
+fsspec and are not covered by these checks.
+
+* Scheme allow-list: ``http`` and ``https`` only.
+* Host filtering: hostnames that resolve to a loopback (``127.0.0.0/8``,
+  ``::1``), link-local (``169.254.0.0/16``, ``fe80::/10``), or RFC1918
+  private range are rejected. Override via
+  ``XRSPATIAL_GEOTIFF_ALLOW_PRIVATE_HOSTS=1``. The check rejects on
+  *any* resolved IP being unsafe, which also blocks DNS-rebind tricks.
+* Redirect handling: at most 5 redirects per request. Each ``Location``
+  is re-validated against the same scheme and host filter, so a public
+  URL cannot 3xx-redirect into private space. Requires ``urllib3``; on
+  the stdlib fallback the same cap and re-validation are enforced via
+  a custom redirect handler.
+* Timeouts: 10 s connect, 30 s read by default. Override via
+  ``XRSPATIAL_GEOTIFF_HTTP_CONNECT_TIMEOUT`` and
+  ``XRSPATIAL_GEOTIFF_HTTP_READ_TIMEOUT`` (positive float, seconds).
+* Exception: :class:`xrspatial.geotiff.UnsafeURLError` (a
+  ``ValueError`` subclass).
+
+If you run an integration test against a local HTTP server (e.g.
+``http.server`` bound to ``127.0.0.1``), set
+``XRSPATIAL_GEOTIFF_ALLOW_PRIVATE_HOSTS=1`` for the duration of the
+test.
+
 Strict mode (``XRSPATIAL_GEOTIFF_STRICT``)
 ==========================================
 

xrspatial/geotiff/__init__.py

@@ -43,14 +43,15 @@
     from typing import BinaryIO
 
 from ._geotags import GeoTransform, RASTER_PIXEL_IS_AREA, RASTER_PIXEL_IS_POINT
-from ._reader import read_to_array
+from ._reader import UnsafeURLError, read_to_array
 from ._writer import write
 
 # All names below are part of the supported public API. ``plot_geotiff``
 # is intentionally omitted: it is deprecated in favour of ``da.xrs.plot()``
 # and emits a ``DeprecationWarning`` when called.
 __all__ = [
     'GeoTIFFFallbackWarning',
+    'UnsafeURLError',
     'open_geotiff',
     'read_geotiff_gpu',
     'read_geotiff_dask',