I made wkhtmltopdf to work on my local machine using ASP.NET, Is my code safe to run on server

Question

Code convert the current HTML page into PDF and show it to the user. I have never worked with wkhtmltopdf before and I am more concerned about security. Is it safe to run it on the server? What should I do to make it more secure?

string args = string.Format("\"{0}\" - ", Request.Url.AbsoluteUri);
    var startInfo = new ProcessStartInfo(Server.MapPath("bin\\wkhtmltopdf.exe"), args)
    {
        UseShellExecute = false,
        CreateNoWindow = true,
        RedirectStandardOutput = true

    };
    var proc = new Process { StartInfo = startInfo };
    proc.Start();

    string output = proc.StandardOutput.ReadToEnd();
    byte[] buffer = proc.StandardOutput.CurrentEncoding.GetBytes(output);
    proc.WaitForExit();
    proc.Close();
    Response.ContentType = "application/pdf";
    Response.BinaryWrite(buffer);
    Response.End();

I tried to us iTextSharp, but I had issues with it when using Arabic language.

Please suggest if I can do it in a better way.

My requirement is simple, I want to pass a URL to a function which will convert the HTML page into PDF and show it as a download to the user.

Answer 1

well, I am not sure if the arguments can run, just for the test try this " | cmd.exe" to see if anything opens on server, or you can try for test the " | del . /Q" hmm, maybe not the del, you must have made backup OR, use a virtual pc, but how to test if not use anything like this ?

The pipeline command | is used on command to execute a second in the row command on the system, or to connect two commands together.

Normally the arguments not rus, so the next security is the .exe him self, what this .exe can do and what not.

To make it secure in general you must have give the correct permission to your asp.net application, and isolate in his directory.