From 37b68061924920ab32fe679ae9d8641a7df8fa65 Mon Sep 17 00:00:00 2001 From: Mufeed VH Date: Tue, 10 Mar 2020 15:24:55 +0530 Subject: [PATCH 1/4] Fixed Remote Code Execution Vulnerability --- index.js | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/index.js b/index.js index 4fa6231..f24a835 100644 --- a/index.js +++ b/index.js @@ -8,6 +8,12 @@ var util = require("util"); var exec = require("child_process").exec; function PDFImage(pdfFilePath, options) { + // validating the file path for invalid characters to prevent remote code execution + if (/;|&|`|\$|\(|\)|\|\||\||!|>|<|\?|\${/g.test(pdfFilePath)) { + console.log("\nERROR: The file path contains invalid characters\n"); + return; + } + if (!options) options = {}; this.pdfFilePath = pdfFilePath; From 5977f966d5e7a9d9d9f73cc40fec0633e7fe2d45 Mon Sep 17 00:00:00 2001 From: Mufeed VH Date: Sat, 14 Mar 2020 01:25:52 +0530 Subject: [PATCH 2/4] Cleaner Regex Check --- index.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index f24a835..48292e8 100644 --- a/index.js +++ b/index.js @@ -9,7 +9,8 @@ var exec = require("child_process").exec; function PDFImage(pdfFilePath, options) { // validating the file path for invalid characters to prevent remote code execution - if (/;|&|`|\$|\(|\)|\|\||\||!|>|<|\?|\${/g.test(pdfFilePath)) { + var filter_chars = /[`!@#$%^&*()_+\-=\[\]{};':"\\|,<>\/?~]/; + if (filter_chars.test(pdfFilePath)) { console.log("\nERROR: The file path contains invalid characters\n"); return; } From 28db1f823195d44e04f6d525b6176e4b7c155e93 Mon Sep 17 00:00:00 2001 From: Mufeed VH Date: Sat, 14 Mar 2020 21:27:02 +0530 Subject: [PATCH 3/4] Fixed The Regex Pattern --- index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.js b/index.js index 48292e8..9cbbeb4 100644 --- a/index.js +++ b/index.js @@ -9,7 +9,7 @@ var exec = require("child_process").exec; function PDFImage(pdfFilePath, options) { // validating the file path for invalid characters to prevent remote code execution - var filter_chars = /[`!@#$%^&*()_+\-=\[\]{};':"\\|,<>\/?~]/; + var filter_chars = /[;|`$()&<>]/; if (filter_chars.test(pdfFilePath)) { console.log("\nERROR: The file path contains invalid characters\n"); return; From d4da42b3841a5e5cae33b5f3e67c85ce3048e3c9 Mon Sep 17 00:00:00 2001 From: Mufeed VH Date: Thu, 19 Mar 2020 17:51:12 +0530 Subject: [PATCH 4/4] Bonus Fix for the Argument Injection found by @Mik317 --- index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.js b/index.js index 9cbbeb4..2740e31 100644 --- a/index.js +++ b/index.js @@ -9,7 +9,7 @@ var exec = require("child_process").exec; function PDFImage(pdfFilePath, options) { // validating the file path for invalid characters to prevent remote code execution - var filter_chars = /[;|`$()&<>]/; + var filter_chars = /[!";|`$()&<>]/; if (filter_chars.test(pdfFilePath)) { console.log("\nERROR: The file path contains invalid characters\n"); return;