Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Fix for Command Injection - huntr.dev #1

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

huntr-helper
Copy link

@d3v53c (https://huntr.dev/users/d3v53c) has fixed a potential Command Injection vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A
Version Affected | *
Bug Fix | YES
Original Pull Request | 418sec#2
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/node-latex-pdf/1/README.md

User Comments:

📊 Metadata *

node-latex-pdf is a package that Convert your latex files to pdf format

Bounty URL: https://www.huntr.dev/bounties/1-npm-node-latex-pdf/

⚙️ Description *

Used child_process.execFile() instead of child_process.exec().

💻 Technical Description *

The use of the child_process function exec() is highly discouraged if you accept user input and don't sanitize/escape them. I replaced it with execFile() which mitigates any possible Command Injections as it accepts input as arrays.

🐛 Proof of Concept (PoC) *

Installation

npm i node-latex-pdf

Run poc.js

var a =require("node-latex-pdf");
a("./","& touch HACKED",function(){})

node poc.js

🔥 Proof of Fix (PoF) *

Before:
image

After:
image

👍 User Acceptance Testing (UAT)

After the fix, functionality is unaffected.

🔗 Relates to...

418sec/huntr#1797

d3v53c and others added 2 commits January 27, 2021 02:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants