Security Fix for Remote Code Execution - huntr.dev

[huntr-helper]

https://huntr.dev/users/alromh87 has fixed the Remote Code Execution vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/wkhtmltoimage/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-wkhtmltoimage/

⚙️ Description *

wkhtmltoimage was vulnerable against arbitrary command injection cause some user supplied inputs were taken and composed into string to be executed without prior sanitization
After update Arbitary Code Execution is avoided

💻 Technical Description *

Commands that relay on piping functions are excuted usng spawn and piping, sanitization is implemented but not for option.output, needed sanitization was implemented whitelisting valid chars

🐛 Proof of Concept (PoC) *

1. Install package
2. Create the following PoC file:

// poc.js
var wkhtmltoimage = require('./');
wkhtmltoimage.generate("test", {output:"test; touch HACKED; #"}, function(){});

3. Check there aren't files called HACKED
4. Execute the following commands in another terminal:

node poc.js #  Run the PoC

5. Recheck the files: now HACKED has been created

🔥 Proof of Fix (PoF) *

After fix no file is created

👍 User Acceptance Testing (UAT)

Commands can be executed normally, functionality unafected