Doyensec's ImageMagick Security Policy Evaluator allows developers and security experts to check if an XML Security Policy is hardened against a wide set of malicious attacks. It assists with the process of reviewing such policies, which is usually a manual task, and helps identify the best practices for ImageMagick deployments.
You can protect your installation from arbitrary file reads similar to CVE-2022-44268 by setting the policy to be:
<policy domain="path" rights="none" pattern="*"/>
<policy domain="path" rights="read|write" pattern="/tmp/imagemagick-reserved-folder/*"/> The /tmp/imagemagick-reserved-folder/ path should be a directory only controlled by the underprivileged user running imagemagick. The evaluator already warns you if the above directives are not set.
It is possible to use the online version of the tool at https://imagemagick-secevaluator.doyensec.com/. Otherwise you can serve the tool from your local machine using e.g. Python:
$ python -m SimpleHTTPServer 8000Read more about this tool on our dedicated blog post.
This project has been sponsored by Doyensec LLC.
