I would like to report “A simple remote code execution” in “pdf-image”.
It allows “a remote attacker to execute arbitrary code when several functions of the PDFImage class are called and the class loaded from user-input value”.
module name: pdf-imageversion:latestnpm page: https://www.npmjs.com/package/pdf-image
Provides an interface to convert PDF’s pages to png files in Node.js by using ImageMagick.
[1] weekly downloads: 8,691
Hello there ! I understand this bug isn’t eligible for a bounty. I am reporting it either way. I’ve found several code execution in the pdf-image class, I tested one of them. They are simple and of course come from the child_process.exec call with lack of escaping. I tested one of them.
var PDFImage = require(“pdf-image”).PDFImage;
var pdfImage = new PDFImage(‘“; sleep 500 #”’);
pdfImage.getInfo();
You can also exploit the vulnerability by submitting backticks (example payload: ls;sleep 5
which will be executed even though you’re double-quoting the input.
You can take example on your command-exists npm class:
var isUsingWindows = process.platform == ‘win32’
var cleanInput = function(s) {
if (/[^A-Za-z0-9_/:=-]/.test(s)) {
s = “'”+s.replace(/‘/g,"’\‘’“)+”‘";
s = s.replace(/^(?:’‘)+/g, ‘’) // unduplicate single-quote at the beginning
.replace(/\’‘’/g, “\'” ); // remove non-escaped single-quote if there are enclosed between 2 escaped
}
return s;
}
if (isUsingWindows) {
cleanInput = function(s) {
var isPathName = /[\]/.test(s);
if (isPathName) {
var dirname = ‘"’ + path.dirname(s) + ‘"’;
var basename = ‘"’ + path.basename(s) + ‘"’;
return dirname + ‘:’ + basename;
}
return ‘"’ + s + ‘"’;
}
}
https://github.com/mooz/node-pdf-image/blob/master/index.js#L27
> Select Y or N for the following statements:
Thanks!
Bad code relying on that class can feel foul to RCE.