image_processing icon indicating copy to clipboard operation
image_processing copied to clipboard

Published 20 hours ago verified publisher icon janko

remote shell execution in v1.12.2

Open ooooooo-q opened this issue 3 years ago • 4 comments

I confirmed from the https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada commit that there are other attack methods.

# call `send` from `public_send`
ImageProcessing::Vips.apply({ send: ["system", "echo CALL_SEND" ]})

# call `method_missing`
ImageProcessing::Vips.apply({ system!: "echo CALL_SYSTEM!" })

It seems that other unexpected behavior is possible, so I think it is better to make allow list and deal with it.

ooooooo-q avatar Mar 02 '22 22:03 ooooooo-q

Thanks for the report. I don't know how I would build an allow list, especially considering the different processing backends. I will try adding a deny list for #send, #public_send, and #__send__, as well as fix #method_missing to also call #public_send instead of #send.

janko avatar Mar 03 '22 06:03 janko