A lot of server-side applications invoke command line utilities for different tasks. One of the attack vectors to our server application could be abusing of these command line utilities vulnerabilities. For example due to CVE-2016-3714 vulnerability it is possible to prepare malicious image file execute arbitrary code by passing this file to imagemagick.
Imagemagick supports dozens of file formats and specifications for some formats consist of hundreds of pages. It's very probable that new vulnerabilities will be found in future. Such vulnerabilities are not depend on language or framework used by our application. Usually imagemagick invoked not directly but with help of some intermiddiate library (gem minimagick in ruby, imagemagick module in node or Imagick class in PHP). Only the CVE-2016-3714 vulnerability compromise simultaneously plenty of applications like CMSes, forums, blogs, ecommerce sites i.e. sites that user submitted images processing required. If we could implement sandboxing for major libraries used for imagemagick wrapping we could fix similar vulnerabilities in future.
Sandboxing got momentum in browsers. Chrome and later other browsers switch to model where each page processed in a sandboxed process.
I will use nsjail application as an example.
You will need c compiler and make utility for building:
sudo apt-get install gcc make
And we will need imagemagick package:
sudo apt-get install imagemagick
Let's clone nsjail sources and build them:
git clone https://github.com/google/nsjail.git pushd nsjail && make && popd
nsjail/nsjail -Mo -R /bin/ -R /lib -R /lib64/ -R /usr/ -R /sbin/ -R /etc/alternatives/ -T /dev -B /home/andrew/out/ -R /home/andrew/in/ --keep_caps -- /usr/bin/convert /home/andrew/in/sample-large.jpg -resize 512x512 /home/andrew/out/thumbnail.jpg
We resize picture /home/andrew/in/sample-large.jpg into /home/andrew/out/thumbnail.jpg in this case.
In this article I used imagemagick as an example but similar approach could be used mitigate vulnerabilities in other applications that process user supplied data such as media files, archives or documents.