Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remote shell execution in v1.12.2 #100

Open
ooooooo-q opened this issue Mar 2, 2022 · 1 comment
Open

remote shell execution in v1.12.2 #100

ooooooo-q opened this issue Mar 2, 2022 · 1 comment

Comments

@ooooooo-q
Copy link

I confirmed from the 038e457 commit that there are other attack methods.

# call `send` from `public_send`
ImageProcessing::Vips.apply({ send: ["system", "echo CALL_SEND" ]})

# call `method_missing`
ImageProcessing::Vips.apply({ system!: "echo CALL_SYSTEM!" })

It seems that other unexpected behavior is possible, so I think it is better to make allow list and deal with it.
@janko
Copy link
Owner

janko commented Mar 3, 2022

Thanks for the report. I don't know how I would build an allow list, especially considering the different processing backends. I will try adding a deny list for #send, #public_send, and #__send__, as well as fix #method_missing to also call #public_send instead of #send.

@wonda-tea-coffee wonda-tea-coffee mentioned this issue Dec 7, 2022
Closed
janko added a commit that referenced this issue Jul 24, 2024
@janko
Revert "Don't allow calling Kernel methods via loader/saver options"
4cc0440 
It doesn't fully resolve the security vulnerability, and there is no
point in only partially resolving it.

See #100

This reverts commit aed5b80.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ooooooo-q @janko