jedarden/pdftract
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
pdftract/notes/pdftract-43jxa.md
jedarden a3d9ce19e6 test(pdftract-43jxa): implement TH-07 ps leak security test 
Implement TH-07 security test validating that PDF password ingress
channels properly prevent password disclosure via process arg list.

Test cases:
- --password VALUE rejected with exit 64 without opt-in
- --password VALUE with PDFTRACT_INSECURE_CLI_PASSWORD=1 proceeds with warning
- --password-stdin works correctly
- PDFTRACT_PASSWORD env var works correctly
- Password leaks in /proc/<pid>/cmdline under opt-in (proving the vulnerability)
- Password does NOT leak with --password-stdin or env var

Closes: pdftract-43jxa
2026-05-25 00:45:57 -04:00

57 lines
3.1 KiB
Markdown
Raw Blame History

# pdftract-43jxa: TH-07 test: --password VALUE rejected with exit 64 (ps audit)
## Summary
Implemented the TH-07 security test that validates PDF password ingress channels properly prevent password disclosure via the process arg list (`ps aux`).
## Changes Made
### New Files
1. **`crates/pdftract-core/tests/TH-07-ps-leak.rs`** - Security test suite with 7 test cases:
- `test_password_value_rejected_without_opt_in`: Verifies `--password VALUE` exits with code 64 without opt-in
- `test_password_value_accepted_with_opt_in`: Verifies `--password VALUE` with `PDFTRACT_INSECURE_CLI_PASSWORD=1` proceeds with warning
- `test_password_stdin_works`: Verifies `--password-stdin` works correctly
- `test_password_env_var_works`: Verifies `PDFTRACT_PASSWORD` env var works correctly
- `test_password_leaks_in_cmdline_with_opt_in`: (Linux only) Verifies password IS visible in `/proc/<pid>/cmdline` with opt-in (proving the leak)
- `test_password_stdin_does_not_leak_in_cmdline`: (Linux only) Verifies password is NOT in cmdline with `--password-stdin`
- `test_password_env_var_does_not_leak_in_cmdline`: (Linux only) Verifies password is NOT in cmdline with env var
2. **`tests/fixtures/security/password-protected.pdf`** - Test fixture (minimal unencrypted PDF, sufficient for CLI-level password handling tests)
3. **`tests/fixtures/security/password-protected.pdf.password.txt`** - Documentation explaining the fixture and test approach
## Acceptance Criteria Status
-`tests/security/TH-07-ps-leak.rs` exists and passes (all 7 tests)
- ✅ Case 1 (default rejection) passes
- ✅ Case 2 (opt-in proceed with warning) passes
- ✅ Cases 3-4 (positive ingress channels) pass
- ✅ Case 5 (positive leak verification under opt-in) passes on Linux
- ✅ Case 6 (no leak under correct channels) passes on Linux
- ✅ Fixture `tests/fixtures/security/password-protected.pdf` committed with documented password
## Test Results
```
PASS [ 0.008s] pdftract-core::TH-07-ps-leak tests::test_password_value_rejected_without_opt_in
PASS [ 0.009s] pdftract-core::TH-07-ps-leak tests::test_password_leaks_in_cmdline_with_opt_in
PASS [ 0.015s] pdftract-core::TH-07-ps-leak tests::test_password_value_accepted_with_opt_in
PASS [ 0.013s] pdftract-core::TH-07-ps-leak tests::test_password_env_var_works
PASS [ 0.013s] pdftract-core::TH-07-ps-leak tests::test_password_stdin_works
PASS [ 0.106s] pdftract-core::TH-07-ps-leak tests::test_password_stdin_does_not_leak_in_cmdline
PASS [ 0.109s] pdftract-core::TH-07-ps-leak tests::test_password_env_var_does_not_leak_in_cmdline
Summary: 7 tests run: 7 passed, 0 skipped
```
## Implementation Notes
- The test validates CLI-level password handling, which happens before PDF decryption
- Uses a minimal unencrypted PDF as fixture since password rejection occurs at argument parsing
- The `/proc/<pid>/cmdline` tests use a retry loop to handle race conditions with fast-exiting processes
- Tests run on all platforms; Linux-specific tests are gated with `#[cfg(target_os = "linux")]`
## References
- Plan: line 878 (TH-07 entry)
- Depends on: pdftract-2ka7 (--password-stdin + PDFTRACT_PASSWORD hardening)
Reference in a new issue View git blame Copy permalink