Skip to content

Exif metadata not stripped when uploading image attachments via Emails

Quang-Minh Nguyen requested to merge qmnguyen0711/239343-exif-metadata-not-stripped-when-creating-new-issue-and-merge-requests-with-image-attachments into master

What does this MR do and why?

For #239343 (closed)

This MR is to fix a minor vulnerability that the exif metadata in images uploaded via emails are not stripped. This bug does not occur with images uploaded via API/Web because they are actively handled by workhorse. The solution is simple. Gitlab::Email::AttachmentUploader is the single point where all image attachments are handled. It's lucky for us that Rails code base has an equivalent utility Gitlab::Sanitizers::Exif doing the same job as workhorse. The API of that sanitizer is easy to expand.

The reason behind this solution is explained in detail here: #239343 (comment 824662343).

How to set up and validate locally

  • Step 1. Upgrade mailroom gem to 0.0.19. For an historical reason, MailRoom version in the rails code base is still stuck at 0.0.9. There are plenty of bugs that make mailroom flow broken on local environment
diff --git a/Gemfile b/Gemfile
index 7a6e2a13c8c..538ae4c8a0d 100644
--- a/Gemfile
+++ b/Gemfile
@@ -441,7 +441,7 @@ gem 'octokit', '~> 4.15'

 # Updating this gem version here is deprecated. See:
 # https://docs.gitlab.com/ee/development/emails.html#mailroom-gem-updates
-gem 'gitlab-mail_room', '~> 0.0.9', require: 'mail_room'
+gem 'gitlab-mail_room', '~> 0.0.19', require: 'mail_room'

 gem 'email_reply_trimmer', '~> 0.1'
 gem 'html2text'
  • Step 2: set incoming_email and service_desk_email configuration, point to an email inbox.
  incoming_email:
    enabled: true
    address: "personal-email+%{key}@gmail.com"
    user: "personal-email@gmail.com"
    password: "something"
  service_desk_email:
    enabled: true
    address: "personal-email+%{key}@gmail.com"
    user: "personal-email@gmail.com"
    password: "something"
  • Step 3: restart all services
  • Step 4: start mailroom in a console with the following command
bundle exec mail_room -c ./config/mail_room.yml
  • Step 5: tail the mailroom logs with the following command, assuming the recent working directory is GitLab rails.
tail -f ./log/mail_room_json.log
  • Step 6: open a random project, configure Service Desk in that project:

Screen_Shot_2022-02-16_at_11.40.11

  • Step 7: compose an email to send to the email address mentioned in the setting page. Attach target files used in different scenarios

Screen_Shot_2022-02-16_at_10.27.47

  • Step 8: ensure mail_room logs captured incoming emails; all jobs of EmailReceiverWorker and ServiceDeskEmailWorker are executed. Open the service desk section in the issue. The attachments are a part of the issue descriptions.

Screen_Shot_2022-02-16_at_11.42.44

Screenshots or screen recordings

Case 1: Before this fix

When sending an email with exif data, the exif data is still accessible when download the attached image from the issue.

Screen_Shot_2022-02-16_at_10.57.37

Case 2: After the fix

After this fix is applied, the exif data is stripped.

Screen_Shot_2022-02-16_at_10.52.09

Bonus: the file without exif data is slightly smaller than the original file

Screen_Shot_2022-02-16_at_11.56.52

Case 3: exif sanitizer doesn't affect images without exif

Exif data is available in tiff/jpg images only. When uploading a PNG image, it is processed successfully.

Screen_Shot_2022-02-16_at_11.27.48

Case 4: exif sanitizer doesn't affect other data types

When uploading a non-image data such as PDF or spreadsheets, the sanitizer should not affect the content of those files. This scenario confirms those files stay intact, and readable afterward.

Screen_Shot_2022-02-16_at_11.27.41

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Quang-Minh Nguyen

Merge request reports