Security Fix for Remote Code Execution - huntr.dev

[huntr-helper]

https://huntr.dev/users/Asjidkalam has fixed the Remote Code Execution vulnerability 🔨. Asjidkalam has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/libreoffice-convert/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/libreoffice-convert/1/README.md

User Comments:

📊 Metadata *

Code execution Vulnerability

Bounty URL: https://www.huntr.dev/bounties/1-npm-libreoffice-convert

⚙️ Description *

The libreoffice-convert module is vulnerable against RCE since a command is crafted using user inputs not validated and then executed, leading to arbitrary command injection. It was using exec() function which is vulnerable to Command Injection if it accepts user input and it goes through any sanitization or escaping.

💻 Technical Description *

The use of the child_process function exec() is highly discouraged if you accept user input and don't sanitize/escape them. I replaced it with execFile() which mitigates any possible Command Injections as it accepts input as arrays.

🐛 Proof of Concept (PoC) *

Install the package and run the below code

// poc.js
const libre = require('libreoffice-convert');
libre.convert('', 'test; touch HACKED; #', undefined, (err, done) => {
    if (err) {
      console.log(`Error converting file: ${err}`);
    }
});

A file named HACKED will be created in the current working directory.

🔥 Proof of Fix (PoF) *

After applying the fix, run the PoC again and no files will be created. Hence command injection is mitigated.

👍 User Acceptance Testing (UAT)

Only execFile is used, no breaking changes introduced.

[elwerene]

I published version 1.1.2 with your fix. thanks!