Shell Command Injection

[susemeee]

Due to the using of /bin/sh -c blablabla... it can execute an arbitrary command with forged 'input'. i.e.

const qpdf = require('node-qpdf');
qpdf.decrypt('/the/path/of/filename.pdf; ls -al; rm -rf /', 'somepassword');

It could take a time to resolve this issue, but at least it should be documented(to avoid putting arbitrary path on a first argument).

[evolutionxbox]

If the first argument used path.resolve would that help mitigate injection?

const path = require('path');
const qpdf = require('node-qpdf');
const injectString = '/the/path/of/filename.pdf; ls -al; rm -rf /';
qpdf.decrypt(path.resolve(__dirname, injectString), 'somepassword');

[sawmurai]

The problem also exists in the encrypt method. You can for example prove $(echo hello > file) as a password and it will be executed.