Skip to content

Security implications #9

New issue
New issue
Open
Open
Security implications#9
@mantrainfosec

Description

@mantrainfosec
mantrainfosec
opened on May 8, 2024

Hi,

First of all great repository, the API makes it a lot easier to use your tool compared to others.

I've noticed that this and similar tools are used by multiple companies to export PDF. Although this is a great and easy way to implement this functionality, it comes with a certain cost.

Your security note in the README, is quite right, but I believe there should be a bit more to add to it:

  • You or the implementers should consider disabling JavaScript in full in the headless Chrome.
  • Input validation/sanitization should be implemented on the service that calls this API
  • Containers should be fully segregated and firewalled, so they should not be able to access other containers or IPs in general.
  • IAM and similar policies should be restricted as much as possible

In case an attacker could inject arbitrary HTML/JS into the headless chrome browser, that would be rendered/executed while creating the PDF. The attacker could interact with external and internal services in the environment that might lead to huge issues including cloud account takeover.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions