Imagetragick and How to Protect Ruby Apps from it
-
There is a huge vulnerability in ImageMagick. In layman’s terms, if you are doing any kind of image manipulations like uploading avatars, photos, resizing stuff, you are most likely using ImageMagick and it concerns you. In theory, by uploading a specially crafted file (which may be not an image at all or an SVG image with some “features”), the attacker can gain access to your system. This is VERY bad. The “trademark” for it is Imagetragick: https://imagetragick.com/ Sysadmins should install a special policy file on their systems ASAP.
-
Said vulnerability can also be prevented in Rails by using the carrierwave-bombshelter gem at https://github.com/DarthSim/carrierwave-bombshelter It was previously used to protect from image bomb uploads, but now includes Imagetragick protection as well.
Comments
Yaroslav, good job for pointing out the fix of the trending ImageMagick vulnerability. Just a note - it seems like paperclip is not affected by this problem: https://github.com/thoughtbot/paperclip/issues/2190#issuecomment-216638180
Paperclip <4.3 seems to be vulnerable though. Anything less than 4.2.2 is vulnerable to an older exploit CVE-2015-2963: https://robots.thoughtbot.com/paperclip-security-release
I’m linking to this Reddit discussion to provide more context if people need it.
Everyone should be sandboxing ALL their image/vector manipulation libraries (not just ImageMagick… but Batik, Ghostscript, pnglib, etc.) at least inside Docker containers. The attack vectors for all those are so large, that there is little hope of ‘containing’ them. Another alternative is to use one of the image processing services.
Post a comment