GHSA-vvmv-wrvp-9gjr: @jmondi/url-to-png contains a Path Traversal vulnerability

Summary

When trying to add a BLOCK_LIST feature when the maintainer noticed they didn’t sanitize the ImageId in the code, which leads to path traversal vulnerability. Now, this is different from a traditional path traversal issue, because as of NOW you can store the image in any place arbitrarily, and given enough time they might be able to come up with a working exploit BUT for the time being they am reporting this.

Details

@jmondi/url-to-png does not sanitizing the ImageID as in not removing special chars from the params (extract_query_params.ts#l75)

const imageId = dateString + “.” + slugify(validData.url) +configToString(params);

This when fed to other parts of the code such as (filesystem.ts#L34)

return path.join(this.storagePath, imageId) + ".png";

Would result in path traversal issue.

PoC

# Configuration for filesystem storage provider (optional)
STORAGE_PROVIDER=filesystem
IMAGE_STORAGE_PATH=poc

Set this in your .env file and use this as your payload.

http://localhost:3089/?url=http://example.com&width=400&isDarkMode=../../../../../../../../../../../../tmp/hack

This will create a .png file in the /tmp section of the system.

Loom POC: https://www.loom.com/share/bd7b306cdae7445c97e68f0626e743a6

This is valid for pretty much all the arguments (except for numeric values)

A simple fix would be to use the slugify for the params as well like so (#L75)

- const imageId = dateString + “.” + slugify(validData.url) + configToString(params);

• const imageId = dateString + “.” + slugify(validData.url) + slugify(configToString(params));

Impact

This would be path traversal vulnerability which allows arbitrary write as of now.

References

• GHSA-vvmv-wrvp-9gjr
• jasonraimondi/url-to-png@e4eaeca
• https://github.com/jasonraimondi/url-to-png/releases/tag/v2.1.2