Security Fix for Remote Code Execution - huntr.dev

[huntr-helper]

https://huntr.dev/users/alromh87 has fixed the Remote Code Execution vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/@sugo/wkhtmltopdf/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-%40sugo%2Fwkhtmltopdf

⚙️ Description *

wkhtmltopdf was vulnerable against arbitrary command injection cause some user supplied inputs were taken and composed into string to be executed without prior sanitization
After update Arbitary Code Execution is avoided

💻 Technical Description *

Commands that relay on piping functions are excuted usng spawn and piping, shell-escape was used to sanitize params for execution on non windows systems.

🐛 Proof of Concept (PoC) *

1. Create the following PoC file:

// poc.js
var wkp = require("@sugo/wkhtmltopdf")
wkp.wkhtmltopdf("test", [';touch', 'HACKED']);

2. Check there aren't files called HACKED
3. Execute the following commands in another terminal:

npm i @sugo/wkhtmltopdf # Install affected module
node poc.js #  Run the PoC

4. Recheck the files: now HACKED has been created

🔥 Proof of Fix (PoF) *

After fix no file is created

👍 User Acceptance Testing (UAT)

Commands can be executed normally, functionality unafected

pdf created with util