Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Pixel Flood / lottapixel DoS vulnerability #1680
I could not find any discussion regarding that topic, so I am opening this issue (sorry if there is already one I missed).
There is a wiki page authored by @sethherr about the Pixel flood attack vector already. I was wondering if the default for all carrierwave apps is to be vulnerable to this? If so, I don't think we can expect everyone to go to the wiki, search for this specific page and apply this fix.
The exploit is actively being used already and is very simple. Anyone can upload a 5kb JPG file and take down any vulnerable server within seconds. I had this happen to one of my servers today and was very surprised by how easy the attack is. If it is not already, being safe from it should be the default.
I second this not being addressed in CarrierWave itself.
The reason I didn't set a
I agree with you that not all apps use Imagemagick with Carrierwave. However, one common principle for many gems and rails itself has always been "secure by default". If you just add carrierwave with imagemagick to your rails project and don't read all the pages in the wiki nor have any experience with this issue, you app will be vulnerable. And this is the 80% use case for apps where users can upload images.
I am not saying that it is the responsibility of carrierwave to prevent these kinds of attacks. However, we should at least inform users about this more clearly IMO (something in the README like WARNING: If you are processing images without image dimension validation you are vulnerable to DoS attacks. Read more here…).