Skip to content

security fix: use strict policy to prevent imagetragick vulnerability exploitation #131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

security fix: use strict policy to prevent imagetragick vulnerability exploitation #131

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion imagemagick.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,14 @@ function exec2(file, args /*, options, callback */) {
}
}

var child = childproc.spawn(file, args);
var env = Object.create(process.env);
if (env.MAGICK_CONFIGURE_PATH) {
console.warn('warn: MAGICK_CONFIGURE_PATH is already defined!');
}

env.MAGICK_CONFIGURE_PATH = __dirname + '/policy';

var child = childproc.spawn(file, args, { env: env });
var killed = false;
var timedOut = false;

Expand Down
16 changes: 16 additions & 0 deletions policy/policy.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Disable the vulnerable ImageMagick coders as suggested
https://imagetragick.com/#policy
-->
<policymap>
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="SHOW" />
<policy domain="coder" rights="none" pattern="WIN" />
<policy domain="coder" rights="none" pattern="PLT" />
</policymap>
4 changes: 4 additions & 0 deletions sample-images/imagetragick_rce1.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
25 changes: 25 additions & 0 deletions test-tragick.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
var fs = require('fs');
var im = require('./imagemagick');

// this is a malicious png file (actually an mvg) demonstrating
// one of the imagetragick vulnerabilities (CVE-2016–3714).
// when passed to a vulnerable version of imagemagick's `identify` or
// `convert` command line tool, it will create a file (touch) named `rce1`.
// for more information see: https://imagetragick.com/
var path = __dirname + '/sample-images/imagetragick_rce1.png';
var pocFile = __dirname + '/rce1';

fs.unlink(pocFile, function () {
im.identify(path, function (err, features) {
fs.exists(pocFile, function (exists) {
if (exists) {
console.log('Bad news! Exploit worked!');
fs.unlink(pocFile, function () {
console.log('Cleaned up!');
});
} else {
console.log('Good news! Exploit failed!');
}
});
});
});