From a9099f9e2383affcdca60e86ab167216f1ec68b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Hanol?= <regis@hanol.fr>
Date: Mon, 21 Dec 2015 16:08:14 +0100
Subject: [PATCH] SECURITY: ensure we never accept fake images

---
 app/models/upload.rb                        |  11 +++++++---
 spec/controllers/uploads_controller_spec.rb |  21 ++++++++++++++++++++
 spec/fixtures/images/fake.jpg               | Bin 0 -> 2881 bytes
 3 files changed, 29 insertions(+), 3 deletions(-)
 create mode 100644 spec/fixtures/images/fake.jpg

diff --git a/app/models/upload.rb b/app/models/upload.rb
index 8e2150541f9..6c693730184 100644
--- a/app/models/upload.rb
+++ b/app/models/upload.rb
@@ -67,7 +67,7 @@ class Upload < ActiveRecord::Base
   def self.create_for(user_id, file, filename, filesize, options = {})
     DistributedMutex.synchronize("upload_#{user_id}_#{filename}") do
       # do some work on images
-      if FileHelper.is_image?(filename)
+      if FileHelper.is_image?(filename) && system("identify '#{file.path}' >/dev/null 2>&1")
         if filename =~ /\.svg$/i
           svg = Nokogiri::XML(file).at_css("svg")
           w = svg["width"].to_i
@@ -122,7 +122,7 @@ class Upload < ActiveRecord::Base
       upload = find_by(sha1: sha1)
 
       # make sure the previous upload has not failed
-      if upload && upload.url.blank?
+      if upload && (upload.url.blank? || is_dimensionless_image?(filename, upload.width, upload.height))
         upload.destroy
         upload = nil
       end
@@ -141,8 +141,9 @@ class Upload < ActiveRecord::Base
       upload.height            = height
       upload.origin            = options[:origin][0...1000] if options[:origin]
 
-      if FileHelper.is_image?(filename) && (upload.width == 0 || upload.height == 0)
+      if is_dimensionless_image?(filename, upload.width, upload.height)
         upload.errors.add(:base, I18n.t("upload.images.size_not_found"))
+        return upload
       end
 
       return upload unless upload.save
@@ -162,6 +163,10 @@ class Upload < ActiveRecord::Base
     end
   end
 
+  def self.is_dimensionless_image?(filename, width, height)
+    FileHelper.is_image?(filename) && (width.blank? || width == 0 || height.blank? || height == 0)
+  end
+
   def self.get_from_url(url)
     return if url.blank?
     # we store relative urls, so we need to remove any host/cdn
diff --git a/spec/controllers/uploads_controller_spec.rb b/spec/controllers/uploads_controller_spec.rb
index 2a0ceaf22c9..4a57897e771 100644
--- a/spec/controllers/uploads_controller_spec.rb
+++ b/spec/controllers/uploads_controller_spec.rb
@@ -19,6 +19,13 @@ describe UploadsController do
         })
       end
 
+      let(:fake_jpg) do
+        ActionDispatch::Http::UploadedFile.new({
+          filename: 'fake.jpg',
+          tempfile: file_from_fixtures("fake.jpg")
+        })
+      end
+
       let(:text_file) do
         ActionDispatch::Http::UploadedFile.new({
           filename: 'LICENSE.TXT',
@@ -118,6 +125,20 @@ describe UploadsController do
         expect(response).to_not be_success
       end
 
+      it 'returns an error when it could not determine the dimensions of an image' do
+        Jobs.expects(:enqueue).with(:create_thumbnails, anything).never
+
+        message = MessageBus.track_publish do
+          xhr :post, :create, file: fake_jpg, type: "composer"
+        end.first
+
+        expect(response.status).to eq 200
+
+        expect(message.channel).to eq("/uploads/composer")
+        expect(message.data["errors"]).to be
+        expect(message.data["errors"][0]).to eq(I18n.t("upload.images.size_not_found"))
+      end
+
     end
 
   end
diff --git a/spec/fixtures/images/fake.jpg b/spec/fixtures/images/fake.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..e59fa523ee03a3f7f9b9ac66eb6344d33c383837
GIT binary patch
literal 2881
zcmV-H3%>M2S5ppD5&!^r+Lc({a}(DUzh}R$w6-kS1_K6y2nGiuBVhsw0vwDj8#~xC
zmIxn-g07^y(!xrs?5_Ngrj6T%HvLZ1kC)DL+?PJJ5B&=|)0xh6I@1{$+VI-PzU8?u
zP0!txEj}`tR>R(V?m6e4dp>^m?BaEz-XkQsMaX_2GyMk$As-I@6$rWHRE+e>%xrwU
zZZ+IAt}c((Jg=EfCfC;1POqIkZ9CQEnF|*#BvTW~iHUL47<V@s9$O!8xW`5(eFHPx
zEjwn@GwnuPtXau!d6!2=J60>@U8BvGWBDd4<s`Rwoi{u;dFJ#PG*l_44cn<RZ;~~e
zmRV-PTylNft=Z)VYiyN|8y0hGmy%sYvBxt#i%(8f>=KX9T6{hJYJ94@-`5UQgmR_p
z=;TvjGO_z~*{&y>j$LV$(I*2<`J12KB1|+}CChYc+?i}O9yIK=;D|0)=#(AKJo{OV
z9iEU|tWj;TDxb_O`Lf-$?<4d0<V0$Gk!_4mq|TfRyb#Pw$>);Y;b8qH$xQ5D@+C4Y
zeeuN?cXb&Htl^_*zqw2N->*OYdt(s`zO7H&4G+_P&AiXb56niD{BciTj1ZI&!(nxP
zhQ!EeBJ5CtcDC;P=ii@C5we->`RC_TzW}1F+GeHKuf=J;DhjA(#H8gs2hHh$#N+E;
zIFG}u$*qdE)T)=bqqNM17n}FhXH2)ryfUUNvh3JZhr6!NAIR}?%Q3x;jN{mj&x&5l
z=a+LH^ICyQ?|il^j6EMuBygaD_AR!d<(g=W>-XJhW?3av(JY%)xDyW48r%!tT)BQd
z;Cbs_o;g+S=}2`9_snJT9n#g1Ms2#B&53!hUsOKbay`4g8*EgZQg!TBqcUw<wlh$+
z8-`hJIsCfmq8aYEQN&u);vT=o8WoE>J$92fI&`$zNk?bB$9*~>9cI5kZ;+A>r_Z#X
zR-l$$onap96w2Melk1_K+`?E7X2V{avFpri4EpqZ!#{`zyuMC>*FEkunAM-@5c8M_
z$6#gN!zz`Xl&Y?W=<UmiF;`|5U$iScw3NM<o1VI!3A;P2eb3h_jaL?r3Dvy1CGtmu
z?577hmvhxDduH9gnR+*?TFG{>T9Mt1=Qo;MonKnMnO8g{bzk7O2&H6WLAvWH%d9rE
z>C93-v!XJwh+s+MJM}%P2;BD8?Uu_k4OX&vCE{|gyI(K0JkM_U@reY~Osk?V`sxCV
z>h$&b={I92@s~UG-gk{-hU2$v%c;Z-$F2uq9}TTxAh#UW42xrZupBLI#B(-=>DJ;i
z=%8iBU%6sBZpAtoACIqMtL*VB;{&#$U}i1VbFdz?j*!9pt3C=;`vG?x;M6K%$qYM;
zbCBEKAc7#AL4<i1-dBA|UwtDWIyVP#zQW&Yao1DC%^ADt=Oymhaj}d$fs9w;6}#LL
z4gF%=cOe~*;BknF@`Jo^Q00QFdA=94vrWTh#+qDnJqOR}#pf;NnBo9e!Jfxr-P0Gj
zSF<aMxO!UMr+aXhSPGnnS9kWoI&7$GX2q*%HEvdGUZ{#0u9;<5EnA#9M?2W+HvOsG
z+2lkjbv{{YnU-fZ_B_);(m@_Zo@LGibGCG!m;FwGcZNGho>lTM3quI6@<8$6R~R|;
zbW2S?*CWFvUNsxDCRV#FU=pf0Y;6U1^-i-UD<Mogle_)+X5hTB!d=^Hi5JA}7dUq)
zZ&ZYx&~$cj`FbXwIsDAI&o^f!yPR1HEw5zfRx-I<UoJC!b7ek%=U!%ICA-oi8uPte
zeky-67n;uo%>L(k8{*)p?v{@4d#=CvFyfVTPie#BZh-3$!pmb;I<EW7yjTo<SszTt
z2Vdxf>3HnfUYL&W2|5mfbmyk0Bf1pPm53hEb^PAIq=-vCyky7Afku3dxd`dCM&RC2
zEvQoT`Ipx-HSB+(;zM5!ls!W*BoAprvHek%4DA^@J~XxuR1#_oM~Cg<=J0#N&afN$
zK#pi2={>z_q%RulAL!FUPcJtpNK{fNs8psDLKMPO(y7!#rCusUsMJRxN|k=94Nz^6
z(!Eq0qS`*H?WfuSstr@^Ak_|0?J(6|qS_Iv#i@3bYA;jm7}Z8-=mdpVD4e9>Qxp;u
z#;J0eLXtv?!UTnL6wXsPMCI2gyiVZ)mD3b1Quz{v%M>OlT%j;U;VOk`3Nuv7P?)7K
zM`51A0)<5iOBAvcmMPqzutN15)$>%pN%gm=ev8uE6z))Xo5DL(M`?lT?^3u&^#Q6E
zDP<H&l$I$}D0VsBpn8=;je<$xK7|JqtZ*H|9)w#EUWM?Q6kdn$287=Ss<$Y7jSiwG
zU#IX53LjF~1Pb58=OI4d#iu~w$2ffgRQf4U<x_lqhR@F-7JN++2|yx}1hPyd8AqHH
zMa3U}NP#BAR8Z3H5E4UJ47wP4gb7*dScBe3SS8TkM~Dm%CHMu_j~{PjKn#OGq&-07
zz4+-h1Vr5jM8mImdH_gh7)baa5d9F4p2I+TUjh<20tD?q6nYgvLwIypZl~surOA5#
z-;lmF_Ky^Y_@+{a_B<)Z6QkLq;7>0@@mS(O+t`yGk&qg08+!$Hym-PGWv|3A`gUqN
zb(f5NHkLY7hr=PMorLT@;Ltw)7Z@SOe<zI$%?>HTGzSY3XV^)Ujp!o>MkaP75=x}R
zS$4AB9=SAf;P@x9FRAsnjsC=|$Ts><urYr;h2uD|1Wv_q<1|ZhD5MrrWHVKl(TaS6
zoe@)U!Z^!b4Gx+*{!7?7NkO5Kc!Ql2GujNMQ(_ur=fxy;XJ12K3z3Bg*^Jax<ftdu
z>tYfL*$W~NwU{<8wvEB;C8=;htdZRor&W&sNyeas`vYxbAaPB&KX8Iw_QzBHh@lK5
zB@x5`#xjZ1PAnp682$@cdy}2S>|f8m0kMOfltU-wg)3aLz?jNj5!s)UCeo8vr++K|
zUjBo8bw<q)P{=G|k<1Y}MXnJ=A@f9yAV?KGS{0@L3`@U_g-2(Boog3j3o%lQw%bND
zyI<7N=r_(i6g4U=h&nASz~(|-MzNo&HzD?t@aT~M!4u!3;y~iA@M-os*<$AohvYd(
z&s@8@C@&F&ein}=%S2uvvZCtIUxD!9N#FyAM|G(!B4&MG;g4`*tgNteB_*Uh6ovO)
zlLOb3z%@m<c2T(YSh!YJzQi{_w=jses(4J$g&V~I<J{~G$i5*R4k>eR<L!G_7nKzP
zGRX<QvqTooD+`!MO^^QBcfPDV<voYTn4JGH1QkP2L+V3;%R=4{ArG5*fjK`SC5T8v
zQamcVDX8LG#w~U`h*A?#UJ_B36hBP${|-}~gZDpzkKyW~)(!NI2sBF+ncO969z)g^
zh$?Ae{bV~;P!<%jso+`L?Cp~Jh`m!%AG1P9Eh+5X!iAE!3nld${)bal^vL;VFm`Y3
z$)Q3qTO<WmEM*xK$|Gc~STQ(0Mz*XJs@W<LkRedR{zRxOh4l;qz9<=H+c=QDFA4HN
z+ZguAkYTlrgFYEH>TTnYPwGaaZ5;N=9>Z=MFCmHjE+mXa+NpNpTd=*gojoF$;a%pp
zyG&g$_X*}lux&KA65oNXZR5QianJ6akGp$%cbVVoG9$ap?{}GfiWctupq+|u#>z?p
zo)lt_3}-e5n=!<aadQA)2#Fs+3CXR8PhwF~-EL{IV2G>j#1CQX@mAtTu$6T&uYFkG
zQBhwc3pcid+CEOeu!6RJ0#7=E$AMrD^wCpSXGj!ZOQB=!6emS5Rcxh-tEu8zs<@si
fM)2Qla@haXdeP^-gW~T2FZ`+C3Nrr-lrbbYW3+^T

literal 0
HcmV?d00001