Enforce an ImageMagick policy.xml for all pods.

This fix was heavily inspired by Mastodon's fix for GHSA-9928-3cp5-93fm. So, thank you Cure53 for finding this issue, thank you Mozilla for paying Cure53 to look into it, and thanks for Mastodon for fixing it.
2023-07-10 00:16:49 +02:00 · 2023-07-10 00:16:49 +02:00 · 42b835f0c0
commit 42b835f0c0
parent 52f206fa8a
5 changed files with 69 additions and 0 deletions
--- a/Changelog.md
+++ b/Changelog.md
@ -1,3 +1,7 @@
+# 0.7.18.2
+
+To avoid potential security issues, diaspora\* now makes sure that ImageMagick image processing always runs with a restricted `policy.xml`, regardless of the global system settings.
+
 # 0.7.18.1

 ## Bug fixes
--- a/config/imagemagick/policy.xml
+++ b/config/imagemagick/policy.xml
@ -0,0 +1,24 @@
+<policymap>
+  <policy domain="resource" name="time" value="30" />
+  <policy domain="resource" name="disk" value="256MiB"/>
+  <policy domain="resource" name="map" value="256MiB"/>
+  <policy domain="resource" name="memory" value="256MiB"/>
+
+  <policy domain="resource" name="height" value="56K"/>
+  <policy domain="resource" name="width" value="56K"/>
+
+  <policy domain="filter" rights="none" pattern="*" />
+  <policy domain="path" rights="none" pattern="@*" />
+
+  <policy domain="coder" rights="none" pattern="*" />
+  <policy domain="delegate" rights="none" pattern="*" />
+  <policy domain="module" rights="none" pattern="*" />
+
+  <!-- Image formats currently supported by diaspora*. -->
+  <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,JPG,PNG,WEBP}" />
+  <policy domain="module" rights="read | write" pattern="{GIF,JPEG,JPG,PNG,WEBP}" />
+
+  <!-- Required for our captchas -->
+  <policy domain="coder" rights="read | write" pattern="LABEL" />
+  <policy domain="module" rights="read | write" pattern="LABEL" />
+</policymap>
--- a/config/initializers/imagemagick.rb
+++ b/config/initializers/imagemagick.rb
@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# This is based on Mastodon doing the same, see
+# https://github.com/mastodon/mastodon/blob/610cf6c3713e414995ea1a57110db400ccb88dd2/config/initializers/paperclip.rb#L157-L162
+# At the time of writing, Mastodon is also licensed under the AGPL, see https://github.com/mastodon/mastodon/blob/610cf6c3713e414995ea1a57110db400ccb88dd2/LICENSE
+# so the following snippet is Copyright (C) 2016-2022 Eugen Rochko & other Mastodon contributors.
+ENV["MAGICK_CONFIGURE_PATH"] = begin
+  imagemagick_config_paths = ENV.fetch("MAGICK_CONFIGURE_PATH", "").split(File::PATH_SEPARATOR)
+  imagemagick_config_paths << Rails.root.join("config/imagemagick").expand_path.to_s
+  imagemagick_config_paths.join(File::PATH_SEPARATOR)
+end
+# end of Mastodon snippet
--- a/spec/fixtures/evil-image.ps.png
+++ b/spec/fixtures/evil-image.ps.png
@ -0,0 +1,12 @@
+%!
+%% ohno
+
+/Times-Roman findfont
+12 scalefont
+setfont
+
+newpath
+100 200 moveto
+(ohno) show
+
+showpage
--- a/spec/models/photo_spec.rb
+++ b/spec/models/photo_spec.rb
@ -264,4 +264,21 @@ describe Photo, :type => :model do
      end
    end
  end
+
+  context "with a maliciously crafted image" do
+    let(:base_path) { File.dirname(__FILE__) }
+    let(:public_path) { File.join(base_path, "../../public/") }
+    let(:evil_image) { File.open(File.join(base_path, "..", "fixtures", "evil-image.ps.png")) }
+
+    it "fails to process a PostScript file camouflaged as a PNG" do
+      photo = bob.build_post(:photo, user_file: evil_image, to: @aspect.id)
+
+      expect {
+        with_carrierwave_processing do
+          photo.unprocessed_image.store! evil_image
+          photo.save
+        end
+      }.to raise_error(CarrierWave::ProcessingError)
+    end
+  end
 end