Software development is evolving very fast, and, with this evolution, security issues that have a big impact in the business appear more frequently.
In August and more recently, in October, Tavis Ormandy from the Google Project Zero team found new vulnerabilities in GhostScript. GhostScript is an interpreter for PostScript and PDF files. It is widely used by several applications like ImageMagick.
ImageMagick is a library for handling images that allows you to do image transformation, drawing, etc. It is commonly integrated in both websites and applications.
Normally, when a software developer needs to handle image upload and processing, it will only perform validations to the file extension. It’s important to really specify what is valid and to have a proper whitelist.
All binary files have the first bytes associated with a file type. Here, you can have a look into the first bytes of different file types.
The following gist contains some functions which show how to handle binary validation of image files. In this case we perform a check for the image types JPG (0xffd8) and PNG (0x89504e470d0a1a0a).
This binary validation should be performed before executing any action on the file, so that we can limit the files being handled by ImageMagick, therefore reducing this way the attack surface on our servers.
All tools which provide functionality to use image processing should provide these methods to the person that is developing the software.
In the case of arc, an image upload dependency for Elixir, the only validation indicated there is file validation by file extension. Although we have created an issue to integrate that, we haven’t receive a response so far.
Thank you for reading!
I hope this article helps you and your team saving some time and improving the codebase.
Don’t forget to follow Coletiv on Medium, Twitter and LinkedIn as we keep posting more and more interesting articles on multiple technologies. And if you think we should write about some specific topic, please let us know.
Thanks again for reading! Feel free to comment and share any question you might have!
Credits: Background image by freepik.com