node-wkhtmltoimage
node-wkhtmltoimage copied to clipboard
timstudd
Security Fix for Remote Code Execution - huntr.dev
https://huntr.dev/users/alromh87 has fixed the Remote Code Execution vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/node-wkhtmltoimage/pull/2 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/wkhtmltoimage/1/README.md
User Comments:
📊 Metadata *
Bounty URL: https://www.huntr.dev/bounties/1-npm-wkhtmltoimage/
⚙️ Description *
wkhtmltoimage was vulnerable against arbitrary command injection cause some user supplied inputs were taken and composed into string to be executed without prior sanitization After update Arbitary Code Execution is avoided
💻 Technical Description *
Commands that relay on piping functions are excuted usng spawn and piping, sanitization is implemented but not for option.output, needed sanitization was implemented whitelisting valid chars
🐛 Proof of Concept (PoC) *
- Install package
- Create the following PoC file:
// poc.js
var wkhtmltoimage = require('./');
wkhtmltoimage.generate("test", {output:"test; touch HACKED; #"}, function(){});
- Check there aren't files called
HACKED - Execute the following commands in another terminal:
node poc.js # Run the PoC
- Recheck the files: now
HACKEDhas been created
🔥 Proof of Fix (PoF) *
After fix no file is created
👍 User Acceptance Testing (UAT)
Commands can be executed normally, functionality unafected
