contrib.nodejsscan.ssrf_wkhtmltopdf.wkhtmltopdf_ssrf
returntocorpAuthor
99
Download Count*
License
User controlled URL reached to wkhtmltopdf can result in Server Side Request Forgery (SSRF).
Run Locally
Run in CI
Defintion
rules:
- id: wkhtmltopdf_ssrf
patterns:
- pattern-inside: |
require('wkhtmltopdf');
...
- pattern-either:
- pattern-inside: function ($REQ, $RES, ...) {...}
- pattern-inside: function $FUNC($REQ, $RES, ...) {...}
- pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
- pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
- pattern-either:
- pattern: |
$INP = <... $REQ.$VAR ...>;
...
wkhtmltopdf(<... $INP ...>, ...);
- pattern: |
$INP = <... $REQ.$VAR.$FOO ...>;
...
wkhtmltopdf(<... $INP ...>, ...);
- pattern: |
wkhtmltopdf(<... $REQ.$VAR ...>, ...)
- pattern: |
wkhtmltopdf(<... $REQ.$VAR.$FOO ...>, ...)
message: User controlled URL reached to `wkhtmltopdf` can result in Server Side
Request Forgery (SSRF).
languages:
- javascript
severity: ERROR
metadata:
owasp: A01:2017 - Injection
cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
category: security
technology:
- node.js
- express
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
ssrf_wkhtmltopdf.js
const wkhtmltopdf = require('wkhtmltopdf')
// ok:wkhtmltopdf_ssrf
wkhtmltopdf(input(), { output: 'vuln.pdf' })
function test(userInput) {
// ok:wkhtmltopdf_ssrf
return wkhtmltopdf(userInput, { output: 'vuln.pdf' })
}
app.get('/', function (req, res) {
// ok:wkhtmltopdf_ssrf
wkhtmltopdf('<html><html/>', { output: 'vuln.pdf' })
// ruleid:wkhtmltopdf_ssrf
wkhtmltopdf(req.foo, { output: 'vuln.pdf' })
});
Short Link: https://sg.run/XBnw