jedarden/pdftract
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
pdftract/notes/pdftract-43jxa.md
jedarden a3d9ce19e6 test(pdftract-43jxa): implement TH-07 ps leak security test 
Implement TH-07 security test validating that PDF password ingress
channels properly prevent password disclosure via process arg list.

Test cases:
- --password VALUE rejected with exit 64 without opt-in
- --password VALUE with PDFTRACT_INSECURE_CLI_PASSWORD=1 proceeds with warning
- --password-stdin works correctly
- PDFTRACT_PASSWORD env var works correctly
- Password leaks in /proc/<pid>/cmdline under opt-in (proving the vulnerability)
- Password does NOT leak with --password-stdin or env var

Closes: pdftract-43jxa
2026-05-25 00:45:57 -04:00

3.1 KiB
Raw Permalink Blame History

pdftract-43jxa: TH-07 test: --password VALUE rejected with exit 64 (ps audit)

Summary

Implemented the TH-07 security test that validates PDF password ingress channels properly prevent password disclosure via the process arg list (ps aux).

Changes Made

New Files

  1. crates/pdftract-core/tests/TH-07-ps-leak.rs - Security test suite with 7 test cases:

    • test_password_value_rejected_without_opt_in: Verifies --password VALUE exits with code 64 without opt-in
    • test_password_value_accepted_with_opt_in: Verifies --password VALUE with PDFTRACT_INSECURE_CLI_PASSWORD=1 proceeds with warning
    • test_password_stdin_works: Verifies --password-stdin works correctly
    • test_password_env_var_works: Verifies PDFTRACT_PASSWORD env var works correctly
    • test_password_leaks_in_cmdline_with_opt_in: (Linux only) Verifies password IS visible in /proc/<pid>/cmdline with opt-in (proving the leak)
    • test_password_stdin_does_not_leak_in_cmdline: (Linux only) Verifies password is NOT in cmdline with --password-stdin
    • test_password_env_var_does_not_leak_in_cmdline: (Linux only) Verifies password is NOT in cmdline with env var

  2. tests/fixtures/security/password-protected.pdf - Test fixture (minimal unencrypted PDF, sufficient for CLI-level password handling tests)

  3. tests/fixtures/security/password-protected.pdf.password.txt - Documentation explaining the fixture and test approach

Acceptance Criteria Status

  • tests/security/TH-07-ps-leak.rs exists and passes (all 7 tests)
  • Case 1 (default rejection) passes
  • Case 2 (opt-in proceed with warning) passes
  • Cases 3-4 (positive ingress channels) pass
  • Case 5 (positive leak verification under opt-in) passes on Linux
  • Case 6 (no leak under correct channels) passes on Linux
  • Fixture tests/fixtures/security/password-protected.pdf committed with documented password

Test Results

PASS [   0.008s] pdftract-core::TH-07-ps-leak tests::test_password_value_rejected_without_opt_in
PASS [   0.009s] pdftract-core::TH-07-ps-leak tests::test_password_leaks_in_cmdline_with_opt_in
PASS [   0.015s] pdftract-core::TH-07-ps-leak tests::test_password_value_accepted_with_opt_in
PASS [   0.013s] pdftract-core::TH-07-ps-leak tests::test_password_env_var_works
PASS [   0.013s] pdftract-core::TH-07-ps-leak tests::test_password_stdin_works
PASS [   0.106s] pdftract-core::TH-07-ps-leak tests::test_password_stdin_does_not_leak_in_cmdline
PASS [   0.109s] pdftract-core::TH-07-ps-leak tests::test_password_env_var_does_not_leak_in_cmdline
Summary: 7 tests run: 7 passed, 0 skipped

Implementation Notes

  • The test validates CLI-level password handling, which happens before PDF decryption
  • Uses a minimal unencrypted PDF as fixture since password rejection occurs at argument parsing
  • The /proc/<pid>/cmdline tests use a retry loop to handle race conditions with fast-exiting processes
  • Tests run on all platforms; Linux-specific tests are gated with #[cfg(target_os = "linux")]

References

  • Plan: line 878 (TH-07 entry)
  • Depends on: pdftract-2ka7 (--password-stdin + PDFTRACT_PASSWORD hardening)