Fix arbitray code execution on wkhtmltoimage

[alromh87]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-wkhtmltoimage/

⚙️ Description *

wkhtmltoimage was vulnerable against arbitrary command injection cause some user supplied inputs were taken and composed into string to be executed without prior sanitization
After update Arbitary Code Execution is avoided

💻 Technical Description *

Commands that relay on piping functions are excuted usng spawn and piping, sanitization is implemented but not for option.output, needed sanitization was implemented removing escaping chars

🐛 Proof of Concept (PoC) *

1. Install package
2. Create the following PoC file:

// poc.js
var wkhtmltoimage = require('./');
wkhtmltoimage.generate("test", {output:"test; touch HACKED; #"}, function(){});

3. Check there aren't files called HACKED
4. Execute the following commands in another terminal:

node poc.js #  Run the PoC

5. Recheck the files: now HACKED has been created

🔥 Proof of Fix (PoF) *

After fix no file is created

👍 User Acceptance Testing (UAT)

Commands can be executed normally, functionality unafected

[toufik-airane]

LGTM 👍

[ghost]

Just to double check - would it not make more sense to whitelist allowed characters, since then the likelihood of a bypass is drastically decreased? I.e. alphanumeric only

[alromh87]

In this case I think it would liit the user on the directory for output file

[ghost]

I see what you mean - in that case can we tweak the regex to be alphanumeric and a slash (/)

[alromh87]

Done!

#2

[huntr-helper]

Congratulations alromh87 - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord