From 75811b06d6d58edb057b7e98f0768a641fffa46e Mon Sep 17 00:00:00 2001 From: Andrey Antukh Date: Tue, 16 Jun 2026 15:22:03 +0000 Subject: [PATCH] :whale: Add ImageMagick policy.xml resource limits to backend Docker image Add a restrictive policy.xml to the backend Docker image that caps ImageMagick resource usage: 256MiB memory, 512MiB map, 128MP area, 30s time limit, 16KP max dimensions. Blocks PS/EPS/PDF/XPS coders to prevent Ghostscript attack surface. Co-authored-by: mimo-v2.5-pro --- docker/images/Dockerfile.backend | 2 ++ docker/images/files/imagemagick-policy.xml | 17 +++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 docker/images/files/imagemagick-policy.xml diff --git a/docker/images/Dockerfile.backend b/docker/images/Dockerfile.backend index 46dc7277aa..01f940746a 100644 --- a/docker/images/Dockerfile.backend +++ b/docker/images/Dockerfile.backend @@ -128,6 +128,8 @@ COPY --from=build /opt/jre /opt/jre COPY --from=build /opt/node /opt/node COPY --from=penpotapp/imagemagick:7.1.2-13 /opt/imagick /opt/imagick +COPY files/imagemagick-policy.xml /opt/imagick/etc/ImageMagick-7/policy.xml + ARG BUNDLE_PATH="./bundle-backend/" COPY --chown=penpot:penpot $BUNDLE_PATH /opt/penpot/backend/ diff --git a/docker/images/files/imagemagick-policy.xml b/docker/images/files/imagemagick-policy.xml new file mode 100644 index 0000000000..2be955fa85 --- /dev/null +++ b/docker/images/files/imagemagick-policy.xml @@ -0,0 +1,17 @@ + + + + + + + + + + + + + + + + +