[Vulnerability] OS command injection in PDF import functionality

[yuriisanin]

The PDF import functionality is vulnerable to OS command injection due to use of shell option enabled. This could allow an attacker to injection OS command using pdfFilePath variable.

File: pdf.ts (lines: 39-47)

Vulnerable code snippet:

const task = spawn(
      "pdf2svg",
      [
        `"${pdfFilePath}"`,
        `"${path.resolve(svgDirectoryPath, svgFilePrefix + "%d.svg")}"`,
        "all",
      ],
      { shell: true },
    )

[yuriisanin]

Assigned CVE-2022-45025