Node.js third-party modules: Several simple remote code execution in pdf-image

2020-01-2317:10:09

gabriel-kimiaie

hackerone.com

EPSS

0.006

Percentile

78.9%

JSON

I would like to report “A simple remote code execution” in “pdf-image”.
It allows “a remote attacker to execute arbitrary code when several functions of the PDFImage class are called and the class loaded from user-input value”.

Module

module name: pdf-imageversion:latestnpm page: https://www.npmjs.com/package/pdf-image

Module Description

Provides an interface to convert PDF’s pages to png files in Node.js by using ImageMagick.

Module Stats

[1] weekly downloads: 8,691

Vulnerability

Vulnerability Description

Hello there ! I understand this bug isn’t eligible for a bounty. I am reporting it either way. I’ve found several code execution in the pdf-image class, I tested one of them. They are simple and of course come from the child_process.exec call with lack of escaping. I tested one of them.

Steps To Reproduce:

var PDFImage = require(“pdf-image”).PDFImage;

var pdfImage = new PDFImage(‘“; sleep 500 #”’);
pdfImage.getInfo();

You can also exploit the vulnerability by submitting backticks (example payload: ls;sleep 5 which will be executed even though you’re double-quoting the input.

Patch

You can take example on your command-exists npm class:
var isUsingWindows = process.platform == ‘win32’
var cleanInput = function(s) {
if (/[^A-Za-z0-9_/:=-]/.test(s)) {
s = “'”+s.replace(/‘/g,"’\‘’“)+”‘";
s = s.replace(/^(?:’‘)+/g, ‘’) // unduplicate single-quote at the beginning
.replace(/\’‘’/g, “\'” ); // remove non-escaped single-quote if there are enclosed between 2 escaped
}
return s;
}

if (isUsingWindows) {
cleanInput = function(s) {
var isPathName = /[\]/.test(s);
if (isPathName) {
var dirname = ‘"’ + path.dirname(s) + ‘"’;
var basename = ‘"’ + path.basename(s) + ‘"’;
return dirname + ‘:’ + basename;
}
return ‘"’ + s + ‘"’;
}
}