Active Storage Command Injection Vulnerability via Unsafe Image Transformations

A command injection vulnerability has been identified in Active Storage versions 5.2.0 through 7.1.5.2, as well as in version 8.0 prior to 8.0.2.1. This vulnerability arises when Active Storage is used with the image_processing gem and mini_magick as the image processor. The issue allows for the circumvention of default safety measures regarding image transformation methods and parameters. Vulnerable applications may inadvertently accept arbitrary user-supplied input as valid transformation methods or parameters, creating an opportunity for command injection.

Impact

Exploitation of this vulnerability could lead to command injection, allowing an attacker to execute arbitrary commands on the server where the application is running.

Remediation

Users can upgrade to Active Storage versions 8.0.2.1, 7.2.2.2, or 7.1.5.2 to address this vulnerability. For those unable to upgrade immediately, it is recommended to perform strict validation of user-supplied input for image transformation methods and parameters, as this is considered dangerous. Additionally, deploying a strong ImageMagick security policy is advised.