h17-sspdf 1.2.0 → 1.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/core/render-document.js +19 -2
- package/package.json +1 -1
package/core/render-document.js
CHANGED
|
@@ -759,7 +759,17 @@ function executeOperation(ctx) {
|
|
|
759
759
|
if (!srcPath) {
|
|
760
760
|
throw new Error(`Operation ${index} (image) missing "src" field`);
|
|
761
761
|
}
|
|
762
|
-
|
|
762
|
+
// Containment: src must be a relative path under the working directory.
|
|
763
|
+
// Blocks absolute paths and ../ traversal so an untrusted source document
|
|
764
|
+
// cannot read arbitrary files (e.g. /etc/passwd, ../../app/.env) into the PDF.
|
|
765
|
+
if (path.isAbsolute(srcPath) || srcPath.includes("\0")) {
|
|
766
|
+
throw new Error(`Operation ${index} (image) "src" must be a relative path: "${srcPath}"`);
|
|
767
|
+
}
|
|
768
|
+
const imageBaseDir = path.resolve(process.cwd());
|
|
769
|
+
const resolvedPath = path.resolve(imageBaseDir, srcPath);
|
|
770
|
+
if (resolvedPath !== imageBaseDir && !resolvedPath.startsWith(imageBaseDir + path.sep)) {
|
|
771
|
+
throw new Error(`Operation ${index} (image) "src" escapes the working directory: "${srcPath}"`);
|
|
772
|
+
}
|
|
763
773
|
let buf;
|
|
764
774
|
try {
|
|
765
775
|
buf = fs.readFileSync(resolvedPath);
|
|
@@ -1135,7 +1145,14 @@ function estimateOperationHeight(ctx) {
|
|
|
1135
1145
|
let imgHeightMm = 80; // fallback
|
|
1136
1146
|
if (operation.src) {
|
|
1137
1147
|
try {
|
|
1138
|
-
|
|
1148
|
+
if (path.isAbsolute(operation.src) || operation.src.includes("\0")) {
|
|
1149
|
+
throw new Error(`image "src" must be a relative path: "${operation.src}"`);
|
|
1150
|
+
}
|
|
1151
|
+
const imageBaseDir = path.resolve(process.cwd());
|
|
1152
|
+
const resolvedPath = path.resolve(imageBaseDir, operation.src);
|
|
1153
|
+
if (resolvedPath !== imageBaseDir && !resolvedPath.startsWith(imageBaseDir + path.sep)) {
|
|
1154
|
+
throw new Error(`image "src" escapes the working directory: "${operation.src}"`);
|
|
1155
|
+
}
|
|
1139
1156
|
const buf = fs.readFileSync(resolvedPath);
|
|
1140
1157
|
const imgInfo = getImageDimensions(buf);
|
|
1141
1158
|
const resolved = resolveImageSize(operation, imgInfo.width, imgInfo.height, contentWidthMm - padding.left - padding.right);
|