Microservices SSRF (Code Review of url-to-pdf-api)

R3zk0n ยท October 2, 2025

API
Contents
    • Source Code: https://github.com/alvarcarto/url-to-pdf-api
      • First, investigate the routes for the microservice: /src/router.js
        • Uses express

    image

    Also uses custom imports

    image

    Investigate the /api/render endpoint:

    • Validation function is run
    • The application calls the validation function before calling the handler function (set by the last parameter, or render.getRender).

    image

    The query renderQuerySchema is called, which is an Joi object (https://joi.dev/):

    image

    The schema onlys allows HTTP/HTTPS, preventing access to the file:// schema, for example:

    image

    Here, the way the microservice renders the URI is interesting and worth investigation:

    image

    This uses puppeteer, which is a node library for managing chrome or chromium

    image

    A new browser instance + a new page (tab) is created

    image

    If no HTML is present in the options (to fall into the else), we will navigate to the URL sent:

    image

    If the requested output is PDF, the document returned is in PDF format, otherwise arbitrary JavaScript can be evaluated if HTML

    image

    Twitter, Facebook