All versions of html-pdf are vulnerable to Arbitrary File Read. The package fails to sanitize the HTML input, allowing attackers to exfiltrate server files by supplying malicious HTML code. XHR requests in the HTML code are executed by the server. Input with an XHR request such as request.open("GET","file:///etc/passwd") will result in a PDF document with the contents of /etc/passwd.
Recommendation
No fix is currently available. There is a mitigation available in the provided reference.
Release Notes
marcbachmann/node-html-pdf
### [`v3.0.1`](https://togithub.com/marcbachmann/node-html-pdf/releases/v3.0.1)
[Compare Source](https://togithub.com/marcbachmann/node-html-pdf/compare/v3.0.0...v3.0.1)
- 🐛 Actually fix the `localUrlAccess: true` in [#616](https://togithub.com/marcbachmann/node-html-pdf/issues/616) using [https://github.com/marcbachmann/node-html-pdf/pull/623](https://togithub.com/marcbachmann/node-html-pdf/pull/623) support as the option accidentally got inverted
### [`v3.0.0`](https://togithub.com/marcbachmann/node-html-pdf/releases/v3.0.0)
[Compare Source](https://togithub.com/marcbachmann/node-html-pdf/compare/v2.2.0...v3.0.0)
##### Changelog
- 🛡️ Prevent local file access by default using the `localUrlAccess: false` option
- 💥 Drop node versions older than v12
##### 💥 Breaking Change
Prevent local file access by default to fix a security issue.
Please provide the `localUrlAccess: true` option if you want to keep the old behavior
but keep your system vulnerable to local file access.
Not sure this module is even usable without installing phantomjs manually.
On linux you might need to download the executable.
The tests are running locally on macos.
Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, click this checkbox.
This PR contains the following updates:
^2.2.0
->^3.0.0
GitHub Vulnerability Alerts
CVE-2019-15138
All versions of
html-pdf
are vulnerable to Arbitrary File Read. The package fails to sanitize the HTML input, allowing attackers to exfiltrate server files by supplying malicious HTML code. XHR requests in the HTML code are executed by the server. Input with an XHR request such asrequest.open("GET","file:///etc/passwd")
will result in a PDF document with the contents of/etc/passwd
.Recommendation
No fix is currently available. There is a mitigation available in the provided reference.
Release Notes
marcbachmann/node-html-pdf
### [`v3.0.1`](https://togithub.com/marcbachmann/node-html-pdf/releases/v3.0.1) [Compare Source](https://togithub.com/marcbachmann/node-html-pdf/compare/v3.0.0...v3.0.1) - 🐛 Actually fix the `localUrlAccess: true` in [#616](https://togithub.com/marcbachmann/node-html-pdf/issues/616) using [https://github.com/marcbachmann/node-html-pdf/pull/623](https://togithub.com/marcbachmann/node-html-pdf/pull/623) support as the option accidentally got inverted ### [`v3.0.0`](https://togithub.com/marcbachmann/node-html-pdf/releases/v3.0.0) [Compare Source](https://togithub.com/marcbachmann/node-html-pdf/compare/v2.2.0...v3.0.0) ##### Changelog - 🛡️ Prevent local file access by default using the `localUrlAccess: false` option - 💥 Drop node versions older than v12 ##### 💥 Breaking Change Prevent local file access by default to fix a security issue. Please provide the `localUrlAccess: true` option if you want to keep the old behavior but keep your system vulnerable to local file access. Not sure this module is even usable without installing phantomjs manually. On linux you might need to download the executable. The tests are running locally on macos.Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.