Merge branch 'next-minor' into develop

2023-07-10 01:19:08 +02:00 · 2023-07-10 01:19:08 +02:00 · 744f5449fb
commit 744f5449fb
parent 8d38193096 f042f5d490
5 changed files with 69 additions and 0 deletions
--- a/Changelog.md
+++ b/Changelog.md
@ -80,6 +80,10 @@ We recommend setting up new pods using Ruby 3.1, and updating existing pods to t
 * Tell users that there is no help in mobile version, allow to switch to desktop [#8407](https://github.com/diaspora/diaspora/pull/8407)
 * Add Smart App Banner on iOS devices [#8409](https://github.com/diaspora/diaspora/pull/8409)

+# 0.7.18.2
+
+To avoid potential security issues, diaspora\* now makes sure that ImageMagick image processing always runs with a restricted `policy.xml`, regardless of the global system settings.
+
 # 0.7.18.1

 ## Bug fixes
--- a/config/imagemagick/policy.xml
+++ b/config/imagemagick/policy.xml
@ -0,0 +1,24 @@
+<policymap>
+  <policy domain="resource" name="time" value="30" />
+  <policy domain="resource" name="disk" value="256MiB"/>
+  <policy domain="resource" name="map" value="256MiB"/>
+  <policy domain="resource" name="memory" value="256MiB"/>
+
+  <policy domain="resource" name="height" value="56K"/>
+  <policy domain="resource" name="width" value="56K"/>
+
+  <policy domain="filter" rights="none" pattern="*" />
+  <policy domain="path" rights="none" pattern="@*" />
+
+  <policy domain="coder" rights="none" pattern="*" />
+  <policy domain="delegate" rights="none" pattern="*" />
+  <policy domain="module" rights="none" pattern="*" />
+
+  <!-- Image formats currently supported by diaspora*. -->
+  <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,JPG,PNG,WEBP}" />
+  <policy domain="module" rights="read | write" pattern="{GIF,JPEG,JPG,PNG,WEBP}" />
+
+  <!-- Required for our captchas -->
+  <policy domain="coder" rights="read | write" pattern="LABEL" />
+  <policy domain="module" rights="read | write" pattern="LABEL" />
+</policymap>
--- a/config/initializers/imagemagick.rb
+++ b/config/initializers/imagemagick.rb
@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# This is based on Mastodon doing the same, see
+# https://github.com/mastodon/mastodon/blob/610cf6c3713e414995ea1a57110db400ccb88dd2/config/initializers/paperclip.rb#L157-L162
+# At the time of writing, Mastodon is also licensed under the AGPL, see https://github.com/mastodon/mastodon/blob/610cf6c3713e414995ea1a57110db400ccb88dd2/LICENSE
+# so the following snippet is Copyright (C) 2016-2022 Eugen Rochko & other Mastodon contributors.
+ENV["MAGICK_CONFIGURE_PATH"] = begin
+  imagemagick_config_paths = ENV.fetch("MAGICK_CONFIGURE_PATH", "").split(File::PATH_SEPARATOR)
+  imagemagick_config_paths << Rails.root.join("config/imagemagick").expand_path.to_s
+  imagemagick_config_paths.join(File::PATH_SEPARATOR)
+end
+# end of Mastodon snippet
--- a/spec/fixtures/evil-image.ps.png
+++ b/spec/fixtures/evil-image.ps.png
@ -0,0 +1,12 @@
+%!
+%% ohno
+
+/Times-Roman findfont
+12 scalefont
+setfont
+
+newpath
+100 200 moveto
+(ohno) show
+
+showpage
--- a/spec/models/photo_spec.rb
+++ b/spec/models/photo_spec.rb
@ -267,4 +267,21 @@ describe Photo, :type => :model do
      end
    end
  end
+
+  context "with a maliciously crafted image" do
+    let(:base_path) { File.dirname(__FILE__) }
+    let(:public_path) { File.join(base_path, "../../public/") }
+    let(:evil_image) { File.open(File.join(base_path, "..", "fixtures", "evil-image.ps.png")) }
+
+    it "fails to process a PostScript file camouflaged as a PNG" do
+      photo = bob.build_post(:photo, user_file: evil_image, to: @aspect.id)
+
+      expect {
+        with_carrierwave_processing do
+          photo.unprocessed_image.store! evil_image
+          photo.save
+        end
+      }.to raise_error(CarrierWave::ProcessingError)
+    end
+  end
 end