From ede1f097a19604bdd62ffa60b5dcf47d601c9e06 Mon Sep 17 00:00:00 2001
From: Danny Grander <danny@snyk.io>
Date: Fri, 6 May 2016 17:00:27 +0300
Subject: [PATCH] =?UTF-8?q?security=20fix:=20use=20strict=20policy=20to=20?=
 =?UTF-8?q?prevent=20imagetragick=20vulnerability=20exploitation=20Using?=
 =?UTF-8?q?=20the=20provided=20policy.xml=20file=20prevents=20the=20exploi?=
 =?UTF-8?q?tation=20of=20the=20following=20vulnerabilities=20in=20ImageMag?=
 =?UTF-8?q?ick=20(https://imagetragick.com/)=20CVE-2016=E2=80=933714=20CVE?=
 =?UTF-8?q?-2016-3718=20CVE-2016-3715=20CVE-2016-3716=20CVE-2016-3717?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 imagemagick.js                      |  9 ++++++++-
 policy/policy.xml                   | 16 ++++++++++++++++
 sample-images/imagetragick_rce1.png |  4 ++++
 test-tragick.js                     | 25 +++++++++++++++++++++++++
 4 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 policy/policy.xml
 create mode 100644 sample-images/imagetragick_rce1.png
 create mode 100644 test-tragick.js

diff --git a/imagemagick.js b/imagemagick.js
index b846c0c..9faad66 100644
--- a/imagemagick.js
+++ b/imagemagick.js
@@ -21,7 +21,14 @@ function exec2(file, args /*, options, callback */) {
     }
   }
 
-  var child = childproc.spawn(file, args);
+  var env = Object.create(process.env);
+  if (env.MAGICK_CONFIGURE_PATH) {
+    console.warn('warn: MAGICK_CONFIGURE_PATH is already defined!');
+  }
+
+  env.MAGICK_CONFIGURE_PATH = __dirname + '/policy';
+
+  var child = childproc.spawn(file, args,  { env: env });
   var killed = false;
   var timedOut = false;
 
diff --git a/policy/policy.xml b/policy/policy.xml
new file mode 100644
index 0000000..89f7f01
--- /dev/null
+++ b/policy/policy.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Disable the vulnerable ImageMagick coders as suggested
+  https://imagetragick.com/#policy
+-->
+<policymap>
+  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
+  <policy domain="coder" rights="none" pattern="URL" />
+  <policy domain="coder" rights="none" pattern="HTTPS" />
+  <policy domain="coder" rights="none" pattern="MVG" />
+  <policy domain="coder" rights="none" pattern="MSL" />
+  <policy domain="coder" rights="none" pattern="TEXT" />
+  <policy domain="coder" rights="none" pattern="SHOW" />
+  <policy domain="coder" rights="none" pattern="WIN" />
+  <policy domain="coder" rights="none" pattern="PLT" />
+</policymap>
diff --git a/sample-images/imagetragick_rce1.png b/sample-images/imagetragick_rce1.png
new file mode 100644
index 0000000..6c1c17b
--- /dev/null
+++ b/sample-images/imagetragick_rce1.png
@@ -0,0 +1,4 @@
+push graphic-context
+viewbox 0 0 640 480
+fill 'url(https://tinyurl.com/favorites.gif"|touch "rce1)'
+pop graphic-context
diff --git a/test-tragick.js b/test-tragick.js
new file mode 100644
index 0000000..1198b47
--- /dev/null
+++ b/test-tragick.js
@@ -0,0 +1,25 @@
+var fs = require('fs');
+var im = require('./imagemagick');
+
+// this is a malicious png file (actually an mvg) demonstrating
+// one of the imagetragick vulnerabilities (CVE-2016–3714).
+// when passed to a vulnerable version of imagemagick's `identify` or
+// `convert` command line tool, it will create a file (touch) named `rce1`.
+// for more information see: https://imagetragick.com/
+var path = __dirname + '/sample-images/imagetragick_rce1.png';
+var pocFile = __dirname + '/rce1';
+
+fs.unlink(pocFile, function () {
+  im.identify(path, function (err, features) {
+    fs.exists(pocFile, function (exists) {
+      if (exists) {
+        console.log('Bad news! Exploit worked!');
+        fs.unlink(pocFile, function () {
+          console.log('Cleaned up!');
+        });
+      } else {
+        console.log('Good news! Exploit failed!');
+      }
+    });
+  });
+});