0

Our server application is generating a PDF file using the WKHTMLTOPDF process launched via a Java ProcessBuilder.start() method.

The command line of this process is generated from the parameters of a HTTP request.

As there is no way to ensure the request is valid, is there any security related issue we should be aware of with this approach ?

andih
  • 5,570
  • 3
  • 26
  • 36
Marc Polizzi
  • 9,275
  • 3
  • 36
  • 61
  • 1
    Do you mean issues besides the fact that you're executing native code with parameters from possibly hostile parties? – Kayaman May 24 '17 at 07:47
  • Not sure to understand. We are controlling the executable that is launched by ProcessBuilder but not its parameters. So what could go wrong with that ? For example, is that possible to execute any command on the server ? – Marc Polizzi May 24 '17 at 07:52
  • 1
    Yes you should assume that it is possible to execute any command on the server. Just think of a (at the moment) unkonwn bug in `WKHTMLTOPF` – andih May 24 '17 at 07:55

3 Answers3

2

You should look into sandboxing the process you spawn. For instance use jail, or a container, like Docker. This way if an attacker finds a way to do some sort of parameter injection, at least the damage is contained to what you allow the sandbox to do. Generally, read up about running untrusted processes.

For example, is that possible to execute any command on the server?

Yes, you should work under the assumption that it is possible. Hence, sandbox the process.

Remus Rusanu
  • 288,378
  • 40
  • 442
  • 569
1

To make sure that there is no security issue, Please consider following points:

  1. Make sure that process doesn't have permissions outside certain directories for example, if process relies on jars then permission should be 640, if you are generating the PDF in certain directory permission can be 750 and so on
  2. Make sure that all requests are properly audited and logs are not generated in directory controller by the PDF generating process
  3. Make sure that the input parameters received are sanitized to avoid use of special characters and other issues like XSS, SQL injection (If you are contacting the DB). And those parameters are sanitized before reaching your PDF generating process
  4. To avoid request sent by random clients or webpages, You can include a nonce in the generated form (if you are using) and then when request comes back verify the nonce and delete it.
  5. Make sure that your Application is on SSL/TLS terminating endpoint and not direct access

And again, security is a subjective matter, depends on how careful Administrator/Architect in designing and deploying the application. Also, if possible containerize your application probably in Docker or similar containers

dvsakgec
  • 3,514
  • 4
  • 28
  • 35
  • Missed one point, also make sure that for every request new process is not spawned as process is costly thing for OS. – dvsakgec May 24 '17 at 08:08
0

All input should be considered potentially malicious and input validation is recommended.

ProcessBuilder is relatively safe, but if a user can control all arguments like 

ProcessBuilder pb = new ProcessBuilder(userInput[0], userInput[1], userInput[2]);

then a user can inject any command, which is obviously dangerous.

In case you control the first argument, like

ProcessBuilder pb = new ProcessBuilder("hardCodedCommand", userInput[0], userInput[1]);

this would be secure. However I still strongly advise to validate user input. If an argument should be numeric or a string with only alphanumeric characters check this and fail when this is not the case.

ipper
  • 624
  • 4
  • 13