fix(security): Force Imagick to only accept HEIC/HEIF images#59206
Open
fabianzw wants to merge 1 commit intonextcloud:masterfrom
Open
fix(security): Force Imagick to only accept HEIC/HEIF images#59206fabianzw wants to merge 1 commit intonextcloud:masterfrom
fabianzw wants to merge 1 commit intonextcloud:masterfrom
Conversation
Signed-off-by: Fabian Zwemke <fabian@zwemke.de>
fabianzw
requested review from
ArtificialOwl,
come-nc,
provokateurin and
salmart-dev
and removed request for
a team
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The HEIC preview provider was disabled in the past due to security issues (HackerOne, #28077). While #44710 added MIME-checking as a security measure, the reliability of these checks is debatable. Furthermore, malicious files cause Imagick's pingImage to attempt unauthorized file access even before the check occurs (see below). This PR restricts Imagick to only accept HEIC/HEIF files, strengthening the defense against SVG SSRF attacks.
The issue with pingImage
When targeted by an SVG SSRF attack, Imagick's pingImage attempts to access files before the MIME type is verified. For a file named malicious.heic with the following content:
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" style="overflow: hidden; position: relative;" width="500" height="500"> <image x="0" y="0" width="500" height="500" xlink:href="/var/www/html/secret.png" stroke-width="1" id="image3204" /> </svg>pingImage will throw an exception if secret.png does not exist. I.e.:
nextcloud-1 | {(..) "message":"File: /admin/files/malicious.heic Imagick says:" (..) "occ_command":["occ","preview:generate-all"],"exception":{"Exception":"ImagickException","Message":"unable to open image '/var/www/html/secret.png': No such file or directory (..)TThe preview code should fail consistently regardless of whether secret.png exists. It should not try to access secret.png at all. With this PR, the preview will always fail like:
nextcloud-1 | {(..) "message":"File: /admin/files/malicious.heic Imagick says:" (..) "occ_command":["occ","preview:generate-all"],"exception":{"Exception":"ImagickException","Message":"ImageTypeNotSupported /var/www/html/data/admin/files/malicious.heic'Mislabeled files
#44710 attempted to preserve preview generation for JPEG/PNG files incorrectly ending in .heic. This functionality is removed by the stricter Imagick check. This is unlikely to be a common issue; I would prefer to reduce attack surface. For clarity, I removed JPEG, PNG etc. from the allowed MIME types. In theory, the MIME check is redundant as non-HEIC/HEIF images will fail in pingImage. I decided to leave it in the code, but I can also remove it, if wanted.
Checklist
3. to review, feature component)stable32)