Open susemeee opened 5 years ago
If the first argument used path.resolve
would that help mitigate injection?
const path = require('path');
const qpdf = require('node-qpdf');
const injectString = '/the/path/of/filename.pdf; ls -al; rm -rf /';
qpdf.decrypt(path.resolve(__dirname, injectString), 'somepassword');
The problem also exists in the encrypt method. You can for example prove $(echo hello > file)
as a password and it will be executed.
Due to the using of
/bin/sh -c
blablabla... it can execute an arbitrary command with forged 'input'. i.e.It could take a time to resolve this issue, but at least it should be documented(to avoid putting arbitrary path on a first argument).