Fix arbitray code execution on wkhtmltoimage

[alromh87]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-wkhtmltoimage/

⚙️ Description *

wkhtmltoimage was vulnerable against arbitrary command injection cause some user supplied inputs were taken and composed into string to be executed without prior sanitization
After update Arbitary Code Execution is avoided

💻 Technical Description *

Commands that relay on piping functions are excuted usng spawn and piping, sanitization is implemented but not for option.output, needed sanitization was implemented whitelisting valid chars

🐛 Proof of Concept (PoC) *

1. Install package
2. Create the following PoC file:

// poc.js
var wkhtmltoimage = require('./');
wkhtmltoimage.generate("test", {output:"test; touch HACKED; #"}, function(){});

3. Check there aren't files called HACKED
4. Execute the following commands in another terminal:

node poc.js #  Run the PoC

5. Recheck the files: now HACKED has been created

🔥 Proof of Fix (PoF) *

After fix no file is created

👍 User Acceptance Testing (UAT)

Commands can be executed normally, functionality unafected

[ghost]

Looks good, thanks 👍

[huntr-helper]

Congratulations alromh87 - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord