remote shell execution in v1.12.2

[ooooooo-q]

I confirmed from the 038e457 commit that there are other attack methods.

# call `send` from `public_send`
ImageProcessing::Vips.apply({ send: ["system", "echo CALL_SEND" ]})

# call `method_missing`
ImageProcessing::Vips.apply({ system!: "echo CALL_SYSTEM!" })

It seems that other unexpected behavior is possible, so I think it is better to make allow list and deal with it.

[janko]

Thanks for the report. I don't know how I would build an allow list, especially considering the different processing backends. I will try adding a deny list for #send, #public_send, and #__send__, as well as fix #method_missing to also call #public_send instead of #send.

[brendon]

Did this one already get dealt with? Thought I saw something in the changes recently.

[janko]

There was an attempt on my side, but this issue showed there were other ways, so I reverted the non-fix.

TBH I don't consider this important to address, because inferring processing options directly from user input is a terrible idea. Even if I fixed remote shell execution, you would still allow trivial DoSing.

I believe I saw Active Storage adding a whitelist on their side, and they're the biggest dependants.

[brendon]

Sounds good :)