javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection
semgrepAuthor
3,078
Download Count*
License
If unverified user data can reach the wkhtmltopdf it can result in Server-Side Request Forgery vulnerabilities
Run Locally
Run in CI
Defintion
rules:
- id: wkhtmltopdf-injection
message: If unverified user data can reach the `wkhtmltopdf` it can result in
Server-Side Request Forgery vulnerabilities
metadata:
owasp:
- A10:2021 - Server-Side Request Forgery (SSRF)
cwe:
- "CWE-918: Server-Side Request Forgery (SSRF)"
category: security
technology:
- wkhtmltopdf
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
references:
- https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Server-Side Request Forgery (SSRF)
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern-inside: |
$WK = require('wkhtmltopdf');
...
- pattern-not-inside: |
var $INPUT = "...";
...
- pattern: $WK($INPUT,...)
- pattern-not: $WK("...",...)
Examples
wkhtmltopdf-injection.js
const wkhtmltopdf = require('wkhtmltopdf')
// ruleid: wkhtmltopdf-injection
wkhtmltopdf(input(), { output: 'vuln.pdf' })
function test(userInput) {
// ruleid: wkhtmltopdf-injection
return wkhtmltopdf(userInput, { output: 'vuln.pdf' })
}
// ok: wkhtmltopdf-injection
wkhtmltopdf('<html><html/>', { output: 'vuln.pdf' })
function okTest(userInput) {
var html = '<html><html/>';
// ok: wkhtmltopdf-injection
return wkhtmltopdf(html, { output: 'vuln.pdf' })
}
Short Link: https://sg.run/qx8O