Fixed Command Injection

[mufeedvh]

❓ How:

The mitigation is implemented with a Regex (!";|`$()&<>) check for malicious characters that could be used to concatenate other shell commands in index.js and continues execution after replacing the matched characters.

🗒️ Fix Snippet:

// filtering bad characters to prevent command injection
var filter_chars = /[!";|`$()&<>]/g;
thisURL = thisURL.replace(filter_chars, '');

Recently on one of my pull requests, the author of the project stated that the use of console.log() to print out an error and halt the execution is not ideal when the program doesn't use console.log() at all. As this program is similar, the fix replaces malicious characters and continues the execution which is required to prevent the Command Injection Vulnerability. :)

🔗 mooz/node-pdf-image#60 (comment)

---

✌️ Fixed!

---

[toufik-airane]

LGTM. 👍

[huntr-helper]

Congratulations @mufeedvh - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section. Your bounty is on its way - keep hunting!