-
Notifications
You must be signed in to change notification settings - Fork 543
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
npm audit vulnerability #530
Comments
Thanks for great plugin. Do you have any plan fix it sooner? thank you |
Seems puppeteer will be the answer. Not much other well supported choices for html to pdf converters. |
Any alternatives for this packages apart from the puppeteer approach ? |
@278kunal There is json to pdf. https://www.npmjs.com/package/pdfkit which is very popular. You would have to convert your existing templates from html to json but it works. |
I'm not sure why you can't just provide the phantomjs argument using the config |
@marcbachmann Could you explain how this would help with the npm vulnerability above? https://www.npmjs.com/advisories/1095 |
I decided to replicate potential attacks if possible. In order to do that I played with phantomjs arguments (https://phantomjs.org/api/command-line.html). Below you can find the experiment and accompanying results. Preparation
with
TestRendering from web server with default phantomArgsStart web server:
Go to http://localhost:8080 in your browser. Look at the output from console.
=> Cross-origin request was not allowed. Private content not visible in the rendered pdf. Rendering from web server with web security turned off (
|
Hi @sin6pi7 the last post was really informative, thanks for putting this together. I figure that suggestion from @marcbachmann would prevent such an attack. However what I am wondering is, given that I, and I suspect other people also, have Do you guys turn off Thanks again for your time. |
Thanks @antoniovassell, appreciated 👍
Please remember, that this only tackles the XHR for local files reported in the original description on npm website - might be that npm researchers found other attack vectors, which I have not covered. Suggestion for disabling local files access in phantomjs should be evaluated against your own use case.
Yeah, I've been there and decided to use https://www.npmjs.com/package/npm-audit-resolver - it allows you to choose whether you would like to ignore something if you're making an informed decision. |
Hi @sin6pi7 , |
Sadly, we don't have the privilege of choosing alternatives to Thanks :) |
In your
You can try this until a new patch would be published, that repo seems to be safe to use imo. |
Can we get this published on NPM? That would be great. Love what you did there. |
@418sec can you publish to NPM? |
Can @marcbachmann merge and publish the change? If not maybe we need to fork the repo and rename it so we can publish it. |
I have the fix in #616, just phantomjs fails to run on the ci. It's working locally. |
Thank you @marcbachmann |
There is a fix in 3.0.1 now but the advisory still lists it as affected |
I contacted NPM support and this advisory 1095 is now fixed in the 3.0.1 version https://www.npmjs.com/advisories/1095/versions |
@antoniovassell can this be closed now? |
Its still listing as an issue in version 3.0.1 in tools like Meterian |
Hey there, an npm advisory is out for this package.
https://www.npmjs.com/advisories/1095
Is there any timeline to resolve this?
The text was updated successfully, but these errors were encountered: