Security Fix for Remote Code Execution - huntr.dev

[huntr-helper]

https://huntr.dev/users/alromh87 has fixed the Remote Code Execution vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/pdf-merge/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/pdf-merge/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-pdf-merge

⚙️ Description *

pdf-merge was vulnerable against arbitrary command injection cause some user supplied inputs were taken and formatted inside the exec() function without prior validation. After update Arbitary Code Execution is avoided

💻 Technical Description *

There was different handling implemented for windows and other systems, in case of other filename where sanitized, but not the execOptions and password leading to arbitrary code execution, missing sanitization was added

🐛 Proof of Concept (PoC) *

Install the package and run the below code:

const PDFMerge = require('./');

const files = [
    `1.pdf`,
    `2.pdf`,
    {file: `protected.pdf`, inputPw: 'test; touch HACKED2; #'}
];

//Buffer (Default)
PDFMerge(files, {execOptions: 'test; touch HACKED; #'})

const PDFMerge = require('./');

const files = [
    `1.pdf`,
    `2.pdf`,
    {file: `protected.pdf`, inputPw: 'test; touch HACKED2; #'}
];

//Buffer (Default)
PDFMerge(files, {execOptions: '2de'})

They will create a files named HACKED and HACKED2 in the working directory.

🔥 Proof of Fix (PoF) *

After fix no files are created

👍 User Acceptance Testing (UAT)

Commands can be executed normally

[JamieSlome]

@wubzz - let me know if you have any questions or thoughts!

Cheers! 🍰