Pdfkit: 3x Moderate vulnerability (Sandbox Breakout / Arbitrart Code Execution)

Created on 20 Feb 2019  路  6Comments  路  Source: foliojs/pdfkit

Bug Report

Moderate vulnerability (Sandbox Breakout / Arbitrart Code Execution):

Moderate Sandbox Breakout / Arbitrary Code Execution
Package static-eval
Patched in No patch available
Dependency of pdfkit
Path pdfkit > fontkit > brfs > static-module > static-eval
More info https://npmjs.com/advisories/758
Moderate Sandbox Breakout / Arbitrary Code Execution
Package static-eval
Patched in No patch available
Dependency of pdfkit
Path pdfkit > fontkit > unicode-properties > brfs > static-module

static-eval
More info https://npmjs.com/advisories/758
Moderate Sandbox Breakout / Arbitrary Code Execution
Package static-eval
Patched in No patch available
Dependency of pdfkit
Path pdfkit > linebreak > brfs > static-module > static-eval
More info https://npmjs.com/advisories/758

Description of the problem

Package manager (npm) telling me that this module have moderate vulnerabilities. It can't be fixed by npm audit fix

Code sample

npm install pdfkit

Your environment

  • pdfkit version: 0.9.0
  • Node version: 10.15.1
  • Browser version (if applicable): -
  • Operating System: WIndows 10

Most helpful comment

For anyone else wondering about the status of this:

I've looked around a bit and found that fixing this is currently blocked on updates to linebreak and fontkit, both of which have outstanding PRs (https://github.com/foliojs/linebreak/pull/11 and https://github.com/foliojs/fontkit/pull/190 respectively).

All 6 comments

Running npm audit fix doesn't work on these and requires manual intervention (tested on linux).

Installing via npm install pdfkit --only=production also causes the same issue.

Cloning the repo and attempting an audit fix in the lib directory results in 9 vulnerabilities.

This appears to be related to browserify. Similar to issue #739

Is the pdfkit project actively maintained any more? There are 241 open issues and 19 pull requests.

Is the pdfkit project actively maintained any more?

Yes. But only a few people do PR.

PR welcome. See contributing

For anyone else wondering about the status of this:

I've looked around a bit and found that fixing this is currently blocked on updates to linebreak and fontkit, both of which have outstanding PRs (https://github.com/foliojs/linebreak/pull/11 and https://github.com/foliojs/fontkit/pull/190 respectively).

I dont have write access to those repositories

@devongovett can you give write access to related dependencies?

What is the real risk of these vulnerabilities for pdfkit?

pdfkit picks up the static-eval vulnerability from 2 places:

  • fontkit font_factory.js which only seems to be used to read font files and not user input.
  • linebreak via brfs. But readFileSync seems only to be called here
    linebreaker.js which again does not read user input

This makes me think that the vulnerability is not exploitable via pdfkit, though we would still like to resolve the warnings :-)

There's no risk. Is a false positive because brfs is defined as a devDependency

Was this page helpful?
0 / 5 - 0 ratings