Don't allow calling Kernel methods via loader/saver options

Author: janko

CHANGELOG.md

@@ -1,3 +1,7 @@
+## HEAD
+
+* [minimagick] Don't allow calling Kernel options via `loader`/`saver` options (@janko)
+
 ## 1.12.2 (2022-03-01)
 
 * Prevent remote shell execution when using `#apply` with operations coming from user input (@janko)

lib/image_processing/mini_magick.rb

@@ -213,9 +213,9 @@ def disallow_split_layers!(destination_path)
         def apply_options(magick, define: {}, **options)
           options.each do |option, value|
             case value
-            when true, nil then magick.send(option)
-            when false     then magick.send(option).+
-            else                magick.send(option, *value)
+            when true, nil then magick.public_send(option)
+            when false     then magick.public_send(option).+
+            else                magick.public_send(option, *value)
             end
           end
 

test/mini_magick_test.rb

@@ -173,6 +173,26 @@
     assert_dimensions [600, 800], result
   end
 
+  it "doesn't allow calling Kernel methods via loader/saver options" do
+    error = assert_raises(MiniMagick::Error) do
+      ImageProcessing::MiniMagick
+        .source(@portrait)
+        .loader(system: "touch test/malicious.txt")
+        .call
+    end
+
+    assert_match "unrecognized option `-system'", error.message
+
+    error = assert_raises(MiniMagick::Error) do
+      ImageProcessing::MiniMagick
+        .source(@portrait)
+        .saver(system: "touch test/malicious.txt")
+        .call
+    end
+
+    assert_match "unrecognized option `-system'", error.message
+  end
+
   describe ".valid_image?" do
     it "returns true for correct images" do
       assert ImageProcessing::MiniMagick.valid_image?(@portrait)