pdftract/notes/bf-2pxsu.md
jedarden 440e8fd075 feat(bf-2pxsu): add logging for JavaScript execution attempts
Add warning-level logging at all JavaScript detection points in pdftract-core:

- Add warn import to tracing macros in detection.rs
- Add 'JavaScript execution attempted but not supported' warning at 6 detection points:
  - Catalog /OpenAction detection
  - Catalog /AA (Additional Actions) detection
  - Page-level /AA detection
  - Page annotation /A (primary action) detection
  - Page annotation /AA (additional actions) detection
  - AcroForm fields /AA detection
- Each warning references TH-04 threat model and states detection-only posture

Verification: notes/bf-2pxsu.md
Tests: All 46 detection tests pass
Acceptance criteria: PASS (compilation, logging, context, warnings)

Closes bf-2pxsu
2026-07-05 16:33:48 -04:00

53 lines
2 KiB
Markdown

# bf-2pxsu: Add logging for JavaScript execution attempts
## Task Completion Summary
Successfully added warning-level logging for JavaScript execution attempts in pdftract-core's detection module.
## Changes Made
### File: `crates/pdftract-core/src/detection.rs`
1. **Added `warn` import to logging macros:**
- Changed `use tracing::{debug, info};` to `use tracing::{debug, info, warn};`
2. **Added execution warning at all JavaScript detection points:**
- Catalog `/OpenAction` detection
- Catalog `/AA` (Additional Actions) detection
- Page-level `/AA` detection
- Page annotation `/A` (primary action) detection
- Page annotation `/AA` (additional actions) detection
- AcroForm fields `/AA` detection
Each warning uses the message:
```
"JavaScript execution attempted but not supported - detection only (per TH-04 threat model)"
```
## Acceptance Criteria
-`log::debug!` or `log::warn!` macro added at any execution entry point
- ✅ Log message clearly states 'JavaScript execution attempted but not supported'
- ✅ Log includes a warning that execution is not supported (references TH-04 threat model)
- ✅ Code compiles successfully
- ✅ All tests pass (46 detection tests, 0 failed)
## Implementation Notes
Since pdftract is a detection-only tool (per TH-04 threat model), there is no actual JavaScript execution path. The warning logs fire whenever JavaScript is detected to explicitly communicate that:
1. JavaScript was found in the PDF
2. Execution is NOT supported and will NEVER occur
3. This is detection-only for downstream security review
The warnings are emitted at the same points where JavaScript detection occurs, providing clear visibility when JavaScript is present while reinforcing the security posture.
## Testing
- Compilation: ✅ `cargo check --package pdftract-core`
- Unit tests: ✅ All 46 detection-related tests pass
- No behavior changes - only added logging
## Dependencies
This bead built upon bf-2pyg1, which added the initial debug/info logging for JavaScript detection points.