node-qpdf icon indicating copy to clipboard operation
node-qpdf copied to clipboard

Published 20 hours ago verified publisher icon nrhirani

Shell Command Injection

Open susemeee opened this issue 6 years ago • 2 comments

Due to the using of /bin/sh -c blablabla... it can execute an arbitrary command with forged 'input'. i.e.

const qpdf = require('node-qpdf');
qpdf.decrypt('/the/path/of/filename.pdf; ls -al; rm -rf /', 'somepassword');

It could take a time to resolve this issue, but at least it should be documented(to avoid putting arbitrary path on a first argument).

susemeee avatar Dec 14 '18 02:12 susemeee

If the first argument used path.resolve would that help mitigate injection?

const path = require('path');
const qpdf = require('node-qpdf');
const injectString = '/the/path/of/filename.pdf; ls -al; rm -rf /';
qpdf.decrypt(path.resolve(__dirname, injectString), 'somepassword');

evolutionxbox avatar Nov 23 '20 18:11 evolutionxbox

The problem also exists in the encrypt method. You can for example prove $(echo hello > file) as a password and it will be executed.

sawmurai avatar Jan 05 '21 12:01 sawmurai