remote shell execution in v1.12.2

janko / image_processing

High-level image processing wrapper for libvips and ImageMagick/GraphicsMagick

MIT License

863 stars 76 forks source link

remote shell execution in v1.12.2 #100

Open ooooooo-q opened 2 years ago

ooooooo-q commented 2 years ago

I confirmed from the https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada commit that there are other attack methods.

# call `send` from `public_send`
ImageProcessing::Vips.apply({ send: ["system", "echo CALL_SEND" ]})

# call `method_missing`
ImageProcessing::Vips.apply({ system!: "echo CALL_SYSTEM!" })

It seems that other unexpected behavior is possible, so I think it is better to make allow list and deal with it.

janko commented 2 years ago

Thanks for the report. I don't know how I would build an allow list, especially considering the different processing backends. I will try adding a deny list for #send, #public_send, and #__send__, as well as fix #method_missing to also call #public_send instead of #send.