The image_processing gem is a highly useful Ruby library that provides a convenient and unified wrapper for two prominent image processing libraries, libvips and ImageMagick/GraphicsMagick. It is commonly employed in web applications to process and manipulate images, including resizing, cropping, and applying various effects. In Ruby on Rails applications, image_processing is often used in conjunction with Active Storage, a core Rails component that facilitates file handling, preprocessing, and server-side processing.
However, a recent security vulnerability has been identified in image_processing prior to version 1.12.2, affecting its #apply method. This method is called internally by Active Storage variants, rendering them vulnerable to attack as well. This vulnerability, designated as CVE-2022-24720, allows attackers to execute arbitrary shell commands when passing unsanitized user input to the #apply method.
In this post, we will delve deeper into the nature of this vulnerability, discuss its consequences, and provide guidance on how to address it to protect your applications.
The Vulnerability
When using the #apply method from image_processing to apply a series of operations that are parsed from unsanitized user input, an attacker could potentially insert shell commands within the input parameters, leading to unauthorized server-side command execution.
Here is an example of vulnerable code
# Assuming params is an unsanitized user input
operations = JSON.parse(params[:operations])
image = ImageProcessing::Vips.source(image_source)
processed_image = image.apply(operations)
Given that the #apply method is called internally by Active Storage variants, several Active Storage imagemagick-related processors are affected as well. The vulnerability has been addressed and fixed in version 1.12.2 of image_processing.
How to Mitigate the Vulnerability
To safeguard your applications against this vulnerability, you should upgrade the image_processing gem to version 1.12.2 or later by updating your Gemfile and running bundle update:
gem "image_processing", ">= 1.12.2"
$ bundle update image_processing
As an additional precaution, it's crucial to sanitize user input by strictly permitting a limited set of allowable operations. This can be achieved by explicitly defining a list of allowed operations and filtering out any user-provided operations that do not match your pre-defined list:
# Define a list of allowed operations
ALLOWED_OPERATIONS = ["resize_to_limit", "resize_to_fit", "resize_to_fill"]
# Assuming params is an unsanitized user input
operations = JSON.parse(params[:operations])
# Filter out any non-allowed operations
filtered_operations = operations.select { |operation, _| ALLOWED_OPERATIONS.include?(operation) }
image = ImageProcessing::Vips.source(image_source)
processed_image = image.apply(filtered_operations)
References and Further Reading
To learn more about the vulnerability, its exploit details, and other relevant information, please consult the following resources:
1. CVE-2022-24720 in the National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2022-24720
2. Image_processing GitHub repository: https://github.com/janko/image_processing
3. Fixed version 1.12.2 release notes: https://github.com/janko/image_processing/blob/master/CHANGELOG.md#1122
4. Active Storage documentation: https://guides.rubyonrails.org/active_storage_overview.html
5. libvips official website: https://libvips.github.io/libvips/
6. ImageMagick official website: https://imagemagick.org/
7. GraphicsMagick official website: http://www.graphicsmagick.org/
Conclusion
Security vulnerabilities like CVE-2022-24720 underscore the importance of providing adequate security measures when dealing with user input, particularly in sensitive areas of your application such as server-side processing. By upgrading your image_processing gem to version 1.12.2 and employing input sanitization techniques, you can minimize the risk associated with this vulnerability and ensure a safer environment for your users.
Timeline
Published on: 03/01/2022 23:15:00 UTC
Last modified on: 03/09/2022 17:58:00 UTC