node-html-pdf - Two Arbitrary File Read - Fix #556
Conversation
Merging fix - on-behalf of @mufeedvh, executed by huntr.dev (005-js-html-pdf).
|
@marcbachmann - any updates on this? |
Addresses code quality issue - https://travis-ci.org/github/marcbachmann/node-html-pdf/jobs/653433658.
|
@marcbachmann - code quality issues addressed and fixed. |
|
Hi, checking in on the status for accepting this PR, it surfaced in a recent app scan |
[FIX] Arbitrary file read using `secure arguments` for `PhantomJS`
huntr-helper
changed the title
|
@marcbachmann @huntr-helper when we are planning to publish fix for this issue? Thanks |
|
@navjotdhanawat - we are just waiting to hear back from the maintainer, but hopefully as soon as possible! |
There was a problem hiding this comment.
Sorry for the absence.
We can merge that and release it in a major bump as it's a breaking change.
I guess we should also deprecate the library because it's api is phantomjs-oriented and doesn't make sense with more modern setup where a pool of headless workers should be used.
|
Any updates ? |
|
@chriskinsman any chance you could take a look at this? |
|
Should we trigger a breaking change here and release v3? |
|
@marcbachmann - let me know if you need any changes made to the PR, cheers! 👍 |
|
wow nice this is moving, I was about to make a fork and merge this then deploy to npm because this is very serious and needed fix! Can this be merged today? thank you guys |
| @@ -22,7 +27,7 @@ function help () { | |||
| } | |||
|
|
|||
| function htmlpdf (source, destination) { | |||
| var html = fs.readFileSync(source, 'utf8') | |||
| var html = DOMPurify.sanitize(fs.readFileSync(source, 'utf8')) | |||
There was a problem hiding this comment.
this won't help anything regardong security. I wouldn't take jsdom into the project as dependency.
the option which sets the flag is enough. Let's release that as v3 then.
I guess we can can skip a release in v2 as it won't help anything.
There was a problem hiding this comment.
I mean we should check whether we can limit the origins of urls (content security policy maybe?). That would be much cleaner. In some cases remote content is desired.
There was a problem hiding this comment.
True, normally there should be a restriction to the source or format of origins or urls in the config before even been able to read the file?
Some like
const config = {
allowedFolders: ['/tmp','render'],
allowedDomains: ['domain1.tld','domain2']
}
There was a problem hiding this comment.
I think this would be supported using page.onResourceRequested: https://phantomjs.org/api/webpage/handler/on-resource-requested.html
There was a problem hiding this comment.
wow. spot on! then we just match the options in the config with
var match = requestData.url.match(/wordfamily.js/g); or includes?
const allowed = config.allowedFolders.contains(requestData.url.split('/')[0])// a bit hacky but you get the idea?
if(!allowed) return networkRequest.abort()
There was a problem hiding this comment.
So glad y'all are figuring this out. Cause I don't really know what is going on. I just want that npm audit vulnerability to go away.
There was a problem hiding this comment.
well this is easy to fix just the incentive to is the issues sometimes :D I can write a good fix for it tho before it goes even to phantomjs
|
any new here ? can this be merged ? |
|
Hi, any update on this? |
|
HI Oliver, how are you?
…On Wed, Apr 14, 2021 at 3:09 AM Oliver Escosura ***@***.***> wrote:
Hi, any update on this?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#556 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAPAQB2CDEBNNRPKQOP255TTIUBPNANCNFSM4KZCKPNA>
.
--
--------------------
Youssef KH
|
|
Any news on this? |
|
Fixed in #616 and released with Version 3. There's a new |
Fix 1 - Arbitrary File Read
https://github.com/mufeedvh fixed the vulnerability associated with Arbitrary File Read.
This fix is being submitted on behalf of https://github.com/mufeedvh - they have been awarded $25 for fixing the vulnerability through the huntr bug bounty program.
Think you could fix a vulnerability like this - get involved (https://huntr.dev).
Q | A
Version Affected | ALL
Bug Fix | YES
Further References | 418sec#2
Fix 2 - Arbitrary File Read
https://huntr.dev/users/Mik317 fixed the vulnerability associated with Arbitrary File Read.
This fix is being submitted on behalf of https://huntr.dev/users/Mik317 - they have been awarded $25 for fixing the vulnerability through the huntr bug bounty program.
Think you could fix a vulnerability like this - get involved (https://huntr.dev).
Q | A
Version Affected | ALL
Bug Fix | YES
Further References | 418sec#3
User Comments:
📊 Metadata *
Bounty URL: https://www.huntr.dev/bounties/1-npm-html-pdf
⚙️ Description *
The
node-html-pdfmodule isvulnerableagainstarbitrary file readdue to a unsafe usage ofphantomjs, which makes possible readinglocal fileswhen parsinghtml filesto convert inpdf ones.💻 Technical Description *
As suggested on #530 (comment), I added as
defaultargument the--local-url-access=falseoptions, which makes impossible readinglocal files😄The user is still able to provide access to the
local filessetting thereadLocalFileoption totrue😄🐛 Proof of Concept (PoC) *
node-html-pdfpoc.jsfile:node poc.jsexample.pdffile with the content of/etc/passwdis created🔥 Proof of Fix (PoF) *
Same steps with fixed version doesn't create a file with the content of the
/etc/passwdfileIf the user explicity uses
readLocalFileinside theoptions, then theinternal filesare fetched again (only who writes the code can change it, so no possible bypasses are allowed for other users 😄)👍 User Acceptance Testing (UAT)
Run a unit test or a legitimate use case to prove that your fix does not introduce breaking changes.