Imagetragick and How to Protect Ruby Apps from it
There is a huge vulnerability in ImageMagick. In layman’s terms, if you are doing any kind of image manipulations like uploading avatars, photos, resizing stuff, you are most likely using ImageMagick and it concerns you. In theory, by uploading a specially crafted file (which may be not an image at all or an SVG image with some “features”), the attacker can gain access to your system. This is VERY bad. The “trademark” for it is Imagetragick: https://imagetragick.com/ Sysadmins should install a special policy file on their systems ASAP.
Said vulnerability can also be prevented in Rails by using the carrierwave-bombshelter gem at https://github.com/DarthSim/carrierwave-bombshelter It was previously used to protect from image bomb uploads, but now includes Imagetragick protection as well.