Summary

I was trying to add a BLOCK_LIST feature when I noticed we don't sanitize the ImageId in the code, which leads to path traversal vulnerability. Now, this is different from our traditional path traversal issue, because as of NOW I can store the image in any place arbitrarily, and given enough time I might be able to come up with a working exploit BUT for the time being I am reporting this.

Details

We are not sanitizing the ImageID as in not removing special chars from the params (extract_query_params.ts#l75)

const imageId = dateString + "." + slugify(validData.url) +configToString(params);

This when fed to other parts of the code such as (filesystem.ts#L34)

return path.join(this.storagePath, imageId) + ".png";

Would result in path traversal issue.

PoC

# Configuration for filesystem storage provider (optional)
STORAGE_PROVIDER=filesystem
IMAGE_STORAGE_PATH=poc

Set this in your .env file and use this as your payload.

http://localhost:3089/?url=http://example.com&width=400&isDarkMode=../../../../../../../../../../../../tmp/hack

This will create a .png file in the /tmp section of the system.

Loom POC: https://www.loom.com/share/bd7b306cdae7445c97e68f0626e743a6

This is valid for pretty much all the arguments (except for numeric values)

A simple fix would be to use the slugify for the params as well like so (#L75)

- const imageId = dateString + "." + slugify(validData.url) + configToString(params);
+ const imageId = dateString + "." + slugify(validData.url) + slugify(configToString(params));

Impact

This would be path traversal vulnerability which allows arbitrary write as of now.