1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
From 686146ad27b2b22636f2d796d3d9fb3d9f28fcd9 Mon Sep 17 00:00:00 2001
From: Rajesh Simandalahi <rajsimand6@protonmail.com>
Date: Thu, 12 May 2022 17:01:33 +0200
Subject: [PATCH] Prevent remote shell execution in #apply
---
CHANGELOG.md | 4 ++++
lib/image_processing/chainable.rb | 8 ++++----
test/pipeline_test.rb | 15 +++++++++++++++
3 files changed, 23 insertions(+), 4 deletions(-)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## HEAD
+
+* Prevent remote shell execution when using `#apply` with operations coming from user input (@janko)
+
## 1.10.3 (2020-01-12)
* [vips] Fix auto-rotation not working in certain cases on libvips 8.9.0 (@janko)
--- a/lib/image_processing/chainable.rb
+++ b/lib/image_processing/chainable.rb
@@ -29,13 +29,13 @@
def apply(operations)
operations.inject(self) do |builder, (name, argument)|
if argument == true || argument == nil
- builder.send(name)
+ builder.public_send(name)
elsif argument.is_a?(Array)
- builder.send(name, *argument)
+ builder.public_send(name, *argument)
elsif argument.is_a?(Hash)
- builder.send(name, **argument)
+ builder.public_send(name, **argument)
else
- builder.send(name, argument)
+ builder.public_send(name, argument)
end
end
end
--- a/test/pipeline_test.rb
+++ b/test/pipeline_test.rb
@@ -251,4 +251,19 @@
ImageProcessing::Vips.valid?(@portrait)
end
end
+
+ it "doesn't allow making system calls" do
+ ImageProcessing::Vips.source(@portrait).apply(system: "touch foo.txt")
+ refute File.exist?("foo.txt")
+
+ assert_raises Vips::Error do
+ ImageProcessing::Vips.source(@portrait).spawn("touch foo.txt").call
+ end
+ refute File.exist?("foo.txt")
+
+ assert_raises MiniMagick::Error do
+ ImageProcessing::MiniMagick.source(@portrait).spawn("touch foo.txt").call
+ end
+ refute File.exist?("foo.txt")
+ end
end
|
