The ImageMagick Security Policy Evaluator automates the assessment of XML Security Policies to ensure hardened configurations against malicious attacks in ImageMagick deployments.
The ImageMagick Security Policy Evaluator allows developers and security experts to check if an XML Security Policy is hardened against a wide set of malicious attacks. It assists with the process of reviewing such policies, which is usually a manual task, and helps identify the best practices for ImageMagick deployments.
This tool is designed for developers and security experts who need to review and validate ImageMagick XML Security Policies to prevent vulnerabilities such as arbitrary file reads. It automates the normally manual process of policy review, helping users identify best practices and security gaps in their ImageMagick configurations.
Users should ensure that the restricted directory (e.g., /tmp/imagemagick-reserved-folder/) is properly controlled by a non-privileged user to prevent exploitation. The evaluator helps identify missing security directives but does not automatically fix policies, so manual review and application of recommendations are necessary.
Download or clone the repository locally
Serve the tool locally using a simple HTTP server, e.g., run `python -m SimpleHTTPServer 8000`
Access the tool via the local server URL in a web browserpython -m SimpleHTTPServer 8000
Starts a local HTTP server to serve the tool's web interface on port 8000
<policy domain="path" rights="none" pattern="*"/>
Example XML policy directive to block all path access, recommended for security
<policy domain="path" rights="read|write" pattern="/tmp/imagemagick-reserved-folder/*"/>
Example XML policy directive allowing read/write only in a restricted directory controlled by an underprivileged user