Skip to content
This repository was archived by the owner on Dec 19, 2023. It is now read-only.

Fixed Remote Code Execution Vulnerability#1

Merged
huntr-helper merged 4 commits into418sec:masterfrom
mufeedvh:master
Mar 20, 2020
Merged

Fixed Remote Code Execution Vulnerability#1
huntr-helper merged 4 commits into418sec:masterfrom
mufeedvh:master

Conversation

@mufeedvh
Copy link

@mufeedvh mufeedvh commented Mar 10, 2020

⚙️ Fix:

The PDFImage() function doesn't validate the input of pdfFilePath input parameter. The pdfFilePath parameter accepts the path of the PDF file which is then used in a system command execution which when given without validation will result in a Remote Code Execution (RCE) Vulnerability.

What the fix does is: It validates the pdfFilePath input and checks for characters that can be used to concatenate any other system commands.

How:

The mitigation is implemented with a Regex (/;|&|`|\$|\(|\)|\|\||\||!|>|<|\?|\${/g) check for invalid characters in index.js

📎 Proof of Concept (PoC):

poc.js (put inside the node-pdf-image folder)

var PDFImage = require('.').PDFImage;

var pdfImage = new PDFImage('"; sleep 500 #"');
pdfImage.getInfo();

🔥 Fix On Action:

OSX:

$ brew install imagemagick ghostscript poppler

Linux (Ubuntu):

$ sudo apt-get install imagemagick ghostscript poppler-utils

Run PoC To Test Fix:

$ npm install
$ node poc.js

❤️ After Fix:

node-pdf-image-fixed-poc

✌️ Fixed!

@JamieSlome JamieSlome requested review from a team, JamieSlome and toufik-airane and removed request for a team March 13, 2020 09:43
toufik-airane
toufik-airane reviewed Mar 13, 2020
View reviewed changes
Copy link

@toufik-airane toufik-airane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dear @mufeedvh,

Thank you for your contribution.

The regexp isn't easily readable and so maintainable and especially two parts of the expression.
Can you ease the regular expression or at least document it?

Best regards.

index.js Outdated

function PDFImage(pdfFilePath, options) {
// validating the file path for invalid characters to prevent remote code execution
if (/;|&|`|\$|\(|\)|\|\||\||!|>|<|\?|\${/g.test(pdfFilePath)) {
Copy link

@toufik-airane toufik-airane Mar 13, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The regexp isn't easily readable and so maintainable and especially two parts of the expression.
The first part is |\|\||\| and the second is |\${.

@adam-nygate adam-nygate requested review from adam-nygate and removed request for JamieSlome March 13, 2020 12:06
adam-nygate
adam-nygate suggested changes Mar 13, 2020
View reviewed changes
Copy link
Member

@adam-nygate adam-nygate left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, it looks like you're duplicating matches for $ symbols and pipes (matching both \|\| and \|). Feel free to revise and then we can accept the PR 🙂

@mufeedvh
Copy link
Author

mufeedvh commented Mar 13, 2020

Hi,

Check out the revised commit, I just cleaned up the Regex to /[`!@#$%^&*()_+\-=\[\]{};':"\\|,<>\/?~]/ to filter out special characters except . to only accept filenames.

toufik-airane
toufik-airane suggested changes Mar 14, 2020
View reviewed changes
Copy link

@toufik-airane toufik-airane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dear @mufeedvh,

You are restricting too many characters. Some characters seem not related to a command shell feature.

index.js Outdated

function PDFImage(pdfFilePath, options) {
// validating the file path for invalid characters to prevent remote code execution
var filter_chars = /[`!@#$%^&*()_+\-=\[\]{};':"\\|,<>\/?~]/;
Copy link

@toufik-airane toufik-airane Mar 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not all characters could trigger remote code execution.
You've blacklisted some harmful and probably legit one such as _ (underscore), ~ (tilde), etc.

I would only filter these characters, that have potential command shell feature:
;|`$()&<>

Copy link
Author

@mufeedvh mufeedvh Mar 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh yeah didn't think about it. I did it in a hurry and was sleepy! 😅

@mufeedvh
Copy link
Author

mufeedvh commented Mar 14, 2020

Done, fixed that! 👍

adam-nygate
adam-nygate approved these changes Mar 16, 2020
View reviewed changes
Copy link
Member

@adam-nygate adam-nygate left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@Mik317 Mik317 mentioned this pull request Mar 19, 2020
Closed
@huntr-helper
Copy link

huntr-helper commented Mar 20, 2020

Congratulations @mufeedvh - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section. Your bounty is on its way - keep hunting!

@huntr-helper huntr-helper merged commit a39dc22 into 418sec:master Mar 20, 2020
@huntr-helper huntr-helper mentioned this pull request Mar 20, 2020
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@adam-nygate adam-nygate adam-nygate approved these changes

@toufik-airane toufik-airane toufik-airane approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mufeedvh @huntr-helper @adam-nygate @toufik-airane