Vulnernable to SSRF when letting users convert custom html #249
Comments
|
The NPM advisory for this causes https://www.npmjs.com/advisories/1339 Is it possible to close this advisory? Or release a new version of this package as a workaround to satisfy The overall security vulnerability does exist. If you run this on a server that can access sensitive URLs, and render HTML using user-provided content, then a malicious user could embed a target URL and prompt the server to fetch that URL into the rendered PDF, for example with image or iframe URLs. In general though, fetching URLs is necessary to render the HTML and ultimately the PDF. A basic solution for users of this package is to prevent their server from having access to sensitive URLs. Another possible solution, depending on the application, would be to configure their server to only have access to a specific set of safe URLs. |
|
Version 0.6.1 has been released and I have included a Security section. I have pinged npm about the advisory. |
|
The advisory has been removed from both npm and Snyk. |
and others
This library is vulnerable to Server-Side Request Forgery (SSRF) when users can input the html being converted to pdf.
The text was updated successfully, but these errors were encountered: