GHSA-c5fp-p67m-gq56

Impact

It impacts applications where: - the PHP daemon run with root permissions ; - the application is either running outside a container or has sensitive file access ;

It could happens with this kind of workflows:

$stylesheet = $_GET['stylesheet']; // = ‘file:///etc/passwd’
$pdf = new Knp\Snappy\Pdf(‘/usr/local/bin/wkhtmltopdf’);
 $pdf->generate(‘page.html’, ‘out.pdf’, [
   ‘xsl-style-sheet’ => $stylesheet
 ]);

Patches

A list a schema with http and https by default is used to validate the remote path by default.

Workarounds

Developers should ensure usage cannot allow (in any case) a user to pass a free input directly to the Snappy library.

// Bad example
$pdf = new Knp\Snappy\Pdf(‘/usr/local/bin/wkhtmltopdf’);
 $pdf->generate(‘page.html’, ‘out.pdf’, [
   ‘xsl-style-sheet’ => $_GET['input'],
 ]);

Instead developers can list available available stylesheets and pick the right one with the user input.

// Better
$allowedStylesheets = [
    'invoice' => '/app/xsl/invoice.xsl',
    'report'  => '/app/xsl/report.xsl',
];

$key = $_GET['stylesheet'] ?? '';

if (!array_key_exists($key, $allowedStylesheets)) {
    throw new \RuntimeException('Unknown stylesheet.');
}

$pdf = new Knp\Snappy\Pdf('/usr/local/bin/wkhtmltopdf');
$pdf->generate('page.html', 'out.pdf', [
    'xsl-style-sheet' => $allowedStylesheets[$key],
]);

References

Read more about SSRF at owasp.org/www-community/attacks/ServerSideRequest_Forgery