Merge branch 'next-minor' into develop

diaspora · Jul 9, 2023 · 744f544 · 744f544
2 parents 8d38193 + f042f5d
commit 744f544
Show file tree

Hide file tree

Showing 5 changed files with 69 additions and 0 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -80,6 +80,10 @@ We recommend setting up new pods using Ruby 3.1, and updating existing pods to t
 * Tell users that there is no help in mobile version, allow to switch to desktop [#8407](https://github.com/diaspora/diaspora/pull/8407)
 * Add Smart App Banner on iOS devices [#8409](https://github.com/diaspora/diaspora/pull/8409)
 
+# 0.7.18.2
+
+To avoid potential security issues, diaspora\* now makes sure that ImageMagick image processing always runs with a restricted `policy.xml`, regardless of the global system settings.
+
 # 0.7.18.1
 
 ## Bug fixes

diff --git a/config/imagemagick/policy.xml b/config/imagemagick/policy.xml
@@ -0,0 +1,24 @@
+<policymap>
+  <policy domain="resource" name="time" value="30" />
+  <policy domain="resource" name="disk" value="256MiB"/>
+  <policy domain="resource" name="map" value="256MiB"/>
+  <policy domain="resource" name="memory" value="256MiB"/>
+
+  <policy domain="resource" name="height" value="56K"/>
+  <policy domain="resource" name="width" value="56K"/>
+
+  <policy domain="filter" rights="none" pattern="*" />
+  <policy domain="path" rights="none" pattern="@*" />
+
+  <policy domain="coder" rights="none" pattern="*" />
+  <policy domain="delegate" rights="none" pattern="*" />
+  <policy domain="module" rights="none" pattern="*" />
+
+  <!-- Image formats currently supported by diaspora*. -->
+  <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,JPG,PNG,WEBP}" />
+  <policy domain="module" rights="read | write" pattern="{GIF,JPEG,JPG,PNG,WEBP}" />
+
+  <!-- Required for our captchas -->
+  <policy domain="coder" rights="read | write" pattern="LABEL" />
+  <policy domain="module" rights="read | write" pattern="LABEL" />
+</policymap>
diff --git a/config/initializers/imagemagick.rb b/config/initializers/imagemagick.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# This is based on Mastodon doing the same, see
+# https://github.com/mastodon/mastodon/blob/610cf6c3713e414995ea1a57110db400ccb88dd2/config/initializers/paperclip.rb#L157-L162
+# At the time of writing, Mastodon is also licensed under the AGPL, see https://github.com/mastodon/mastodon/blob/610cf6c3713e414995ea1a57110db400ccb88dd2/LICENSE
+# so the following snippet is Copyright (C) 2016-2022 Eugen Rochko & other Mastodon contributors.
+ENV["MAGICK_CONFIGURE_PATH"] = begin
+  imagemagick_config_paths = ENV.fetch("MAGICK_CONFIGURE_PATH", "").split(File::PATH_SEPARATOR)
+  imagemagick_config_paths << Rails.root.join("config/imagemagick").expand_path.to_s
+  imagemagick_config_paths.join(File::PATH_SEPARATOR)
+end
+# end of Mastodon snippet
diff --git a/spec/fixtures/evil-image.ps.png b/spec/fixtures/evil-image.ps.png
diff --git a/spec/models/photo_spec.rb b/spec/models/photo_spec.rb
@@ -267,4 +267,21 @@ def image_from(photo)
       end
     end
   end
+
+  context "with a maliciously crafted image" do
+    let(:base_path) { File.dirname(__FILE__) }
+    let(:public_path) { File.join(base_path, "../../public/") }
+    let(:evil_image) { File.open(File.join(base_path, "..", "fixtures", "evil-image.ps.png")) }
+
+    it "fails to process a PostScript file camouflaged as a PNG" do
+      photo = bob.build_post(:photo, user_file: evil_image, to: @aspect.id)
+
+      expect {
+        with_carrierwave_processing do
+          photo.unprocessed_image.store! evil_image
+          photo.save
+        end
+      }.to raise_error(CarrierWave::ProcessingError)
+    end
+  end
 end