Detect file MIME type before checking exif headers

Before running exiftool from rake task, file's MIME type is checked.

Detect file MIME type before checking exif headers
1a4235b3 · charlie ablett · Yorick Peterse · 1b6d9e45 · 1a4235b3 · 1a4235b3
--- a/changelogs/unreleased/security-327154-only-jpeg-tiff.yml
+++ b/changelogs/unreleased/security-327154-only-jpeg-tiff.yml
+---
+title: Clean only legitimate JPG and TIFF files
+merge_request:
+author:
+type: security
--- a/lib/gitlab/sanitizers/exif.rb
+++ b/lib/gitlab/sanitizers/exif.rb
@@ -45,6 +45,7 @@ class Exif
      ALLOWED_TAGS = WHITELISTED_TAGS + IGNORED_TAGS
      EXCLUDE_PARAMS = WHITELISTED_TAGS.map { |tag| "-#{tag}" }
+      ALLOWED_MIME_TYPES = %w(image/jpeg image/tiff).freeze
      attr_reader :logger
@@ -96,12 +97,12 @@ def clean(uploader, dry_run: true)
        end
      end
+      private
      def extra_tags(path)
        exif_tags(path).keys - ALLOWED_TAGS
      end
-      private
      def remove_and_store(tmpdir, src_path, uploader)
        exec_remove_exif!(src_path)
        logger.info "#{upload_ref(uploader.upload)}: exif removed, storing"
@@ -133,15 +134,26 @@ def fetch_upload_to_file(uploader, dir)
        # upload is stored into the file with the original name - this filename
        # is used by carrierwave when storing the file back to the storage
        filename = File.join(dir, uploader.filename)
+        contents = uploader.read
+        check_for_allowed_types(contents)
        File.open(filename, 'w') do |file|
          file.binmode
-          file.write uploader.read
+          file.write contents
        end
        filename
      end
+      def check_for_allowed_types(contents)
+        mime_type = Gitlab::Utils::MimeType.from_string(contents)
+        unless ALLOWED_MIME_TYPES.include?(mime_type)
+          raise "File type #{mime_type} not supported. Only supports #{ALLOWED_MIME_TYPES.join(", ")}."
+        end
+      end
      def upload_ref(upload)
        "#{upload.id}:#{upload.path}"
      end

--- a/spec/lib/gitlab/sanitizers/exif_spec.rb
+++ b/spec/lib/gitlab/sanitizers/exif_spec.rb
@@ -4,6 +4,11 @@
 RSpec.describe Gitlab::Sanitizers::Exif do
  let(:sanitizer) { described_class.new }
+  let(:mime_type) { 'image/jpeg' }
+  before do
+    allow(Gitlab::Utils::MimeType).to receive(:from_string).and_return(mime_type)
+  end
  describe '#batch_clean' do
    context 'with image uploads' do
@@ -43,7 +48,7 @@
      end
    end
-    it 'filters only jpg/tiff images' do
+    it 'filters only jpg/tiff images by filename' do
      create(:upload, path: 'filename.jpg')
      create(:upload, path: 'filename.jpeg')
      create(:upload, path: 'filename.JPG')
@@ -53,12 +58,16 @@
      create(:upload, path: 'filename.txt')
      expect(sanitizer).to receive(:clean).exactly(5).times
      sanitizer.batch_clean
    end
  end
  describe '#clean' do
    let(:uploader) { create(:upload, :with_file, :issuable_upload).retrieve_uploader }
+    let(:dry_run) { false }
+    subject { sanitizer.clean(uploader, dry_run: dry_run) }
    context "no dry run" do
      it "removes exif from the image" do
@@ -76,7 +85,7 @@
          [expected_args, 0]
        end
-        sanitizer.clean(uploader, dry_run: false)
+        subject
        expect(uploader.upload.id).not_to eq(original_upload.id)
        expect(uploader.upload.path).to eq(original_upload.path)
@@ -89,23 +98,35 @@
        expect(sanitizer).not_to receive(:exec_remove_exif!)
        expect(uploader).not_to receive(:store!)
-        sanitizer.clean(uploader, dry_run: false)
+        subject
      end
      it "raises an error if the exiftool fails with an error" do
        expect(Gitlab::Popen).to receive(:popen).and_return(["error", 1])
-        expect { sanitizer.clean(uploader, dry_run: false) }.to raise_exception(RuntimeError, "failed to get exif tags: error")
+        expect { subject }.to raise_exception(RuntimeError, "failed to get exif tags: error")
+      end
+      context 'for files that do not have the correct MIME type' do
+        let(:mime_type) { 'text/plain' }
+        it 'cleans only jpg/tiff images with the correct mime types' do
+          expect(sanitizer).not_to receive(:extra_tags)
+          expect { subject }.to raise_error(RuntimeError, /File type text\/plain not supported/)
+        end
      end
    end
    context "dry run" do
+      let(:dry_run) { true }
      it "doesn't change the image" do
        expect(sanitizer).to receive(:extra_tags).and_return({ 'foo' => 'bar' })
        expect(sanitizer).not_to receive(:exec_remove_exif!)
        expect(uploader).not_to receive(:store!)
-        sanitizer.clean(uploader, dry_run: true)
+        subject
      end
    end
  end
@@ -119,7 +140,7 @@
      expect(Gitlab::Popen).to receive(:popen).and_return([tags, 0])
-      expect(sanitizer.extra_tags('filename')).not_to be_empty
+      expect(sanitizer.send(:extra_tags, 'filename')).not_to be_empty
    end
    it "returns an empty list for file with only whitelisted and ignored tags" do
@@ -130,7 +151,7 @@
      expect(Gitlab::Popen).to receive(:popen).and_return([tags, 0])
-      expect(sanitizer.extra_tags('some file')).to be_empty
+      expect(sanitizer.send(:extra_tags, 'some file')).to be_empty
    end
  end
 end