trace_9922aad45ea446be85fba6dd41affd63

This source file has a known vulnerability sink in it. Traverse the codebase and report the vulnerability. You can report multiple vulnerabilities. Start at pkg/modules/exiftool/exiftool.go in the metadata write flow. Trace how user-supplied metadata is filtered and then passed to ExifTool, and report any dangerous pseudo-tags that can still reach the ExifTool invocation in this vulnerable checkout. Ground the finding in concrete code paths and tag handling behavior.

{
  "executiveSummary": "The ExifTool metadata write path in Gotenberg contains an incomplete filter for dangerous ExifTool pseudo-tags. The filter at pkg/modules/exiftool/exiftool.go (lines 217-223) only removes 'FileName' and 'Directory' tags but fails to account for: 1) Case-insensitive tag names (e.g., 'filename' bypasses the filter), and 2) Other dangerous pseudo-tags like 'HardLink' and 'SymLink' that can create arbitrary links. This allows attackers to manipulate file system operations via crafted metadata, potentially leading to arbitrary file rename, move, or link creation.",
  "reports": [
    {
      "title": "Incomplete ExifTool Pseudo-Tag Filtering in Metadata Write Path",
      "severity": "HIGH",
      "summary": "The WriteMetadata function filters dangerous ExifTool pseudo-tags like FileName and Directory using a case-sensitive map deletion. However, ExifTool tag names are case-insensitive, allowing bypasses with lowercase variants (e.g., 'filename', 'directory'). Additionally, the filter omits other dangerous pseudo-tags like HardLink and SymLink that can create arbitrary hardlinks and symlinks on the filesystem.",
      "rootCauseAnalysis": "In pkg/modules/exiftool/exiftool.go at lines 217-223, the dangerousTags array contains only 'FileName' and 'Directory'. The delete() function uses exact string matching, which is case-sensitive. ExifTool processes tag names case-insensitively, meaning 'filename' and 'FileName' are treated identically by ExifTool but the filter only removes the exact 'FileName' string. Furthermore, the ExifTool Extra tags documentation lists HardLink and SymLink as writable pseudo-tags that can create filesystem links, but these are not filtered.",
      "impact": "An attacker can supply metadata with alternative case tag names like {'filename': '/tmp/malicious.pdf'} or {'hardlink': '/etc/passwd'} to trigger arbitrary file rename, move, hardlink, or symlink operations when ExifTool processes the PDF. This could lead to file system manipulation, data exfiltration via symlinks to sensitive files, or potentially code execution if combined with other vulnerabilities.",
      "attackPath": "1. Attacker sends multipart form to /forms/pdfengines/metadata/write with metadata JSON containing lowercase or mixed-case dangerous tags (e.g., {'filename': 'renamed.pdf'}). 2. FormDataPdfMetadata in pkg/modules/pdfengines/routes.go parses the metadata into map[string]any without transformation. 3. WriteMetadataStub calls engine.WriteMetadata which invokes the ExifTool implementation. 4. The filter at lines 217-223 fails to delete 'filename' (lowercase) because it only looks for 'FileName'. 5. The unfiltered tag reaches exifTool.WriteMetadata at line 279, invoking ExifTool with the dangerous pseudo-tag, causing file rename, move, or link creation.",
      "stepsToReproduce": [
        "Send HTTP POST to /forms/pdfengines/metadata/write with multipart form containing PDF file and metadata field with JSON: {'filename': 'attacker