- Create benches/results/.gitkeep and README.md - Create benches/competitors/run_all.py Python orchestration script - Script runs competitor benchmarks (pdftract, pdfminer.six, pypdf, pdfplumber) - Emits benches/results/<commit-sha>.json with throughput metrics - Add tier4-competitor-runner to pdftract-ci Argo WorkflowTemplate - Runs only on main branch to track performance over time - Acceptance criteria: ratio_pdfminer ≥ 10.0, ratio_pypdf ≥ 5.0 Closes bf-2f5ew Files created: - benches/results/.gitkeep - benches/results/README.md - benches/competitors/run_all.py - notes/bf-2f5ew.md Files modified: - .ci/argo-workflows/pdftract-ci.yaml
3.7 KiB
bf-ieaa9: Verify no JavaScript execution during extraction
Summary
Verified that pdftract does NOT execute embedded JavaScript during PDF extraction, confirming the TH-04 threat model mitigation.
What Was Done
1. Dependency Verification
- Verified no JavaScript engine dependencies in the cargo tree
- Confirmed absence of:
boa,deno_core,v8,quickjs,rusty_javascript,rquickjs,js-sys - Without a JS engine, JavaScript execution is impossible at the binary level
2. Code Review: src/javascript.rs
- Confirmed only string extraction via
String::from_utf8_lossy() - No
eval(),exec(), or any code execution primitives - Added comprehensive security boundary documentation (TH-04) explaining:
- No JavaScript Engine: No dependency on JS execution engines
- String-Only Processing: JavaScript code extracted as raw byte strings
- Explicit Diagnostic: Emits "JavaScript was NOT executed" message
3. Enhanced Test Coverage: tests/TH-04-js-presence.rs
- Added explicit assertion that diagnostic states "JavaScript was NOT executed"
- Added security boundary verification comments explaining why no side effects occur
- Enhanced
test_no_js_engine_in_deps()with comprehensive documentation - All 4 tests pass:
test_javascript_detection,test_no_javascript,test_no_js_engine_in_deps,test_json_output_includes_javascript_actions
4. Runtime Verification
Extracted tests/fixtures/security/embedded-js.pdf which contains:
app.alert("pwn")in catalog/OpenActionapp.alert('page_open')in page 0/AA/Oapp.alert('annot_action')in page 1 annotation/A
Result:
- Extraction succeeded (exit 0)
- Diagnostic emitted: "Detected 1 JavaScript action(s) in PDF document. JavaScript was NOT executed."
- No
app.alert()popup displayed (no side effects) - JavaScript extracted as string data only:
"app.alert(\"pwn\")"
Acceptance Criteria
-
✅ PASS: Extraction completes without executing JavaScript
- Verified: Extracted embedded-js.pdf successfully, no side effects occurred
- No panic, abort, or popup from
app.alert()calls
-
✅ PASS: No app.alert or other JS side effects occur
- The fixture contains
app.alert("pwn")which would display a dialog if executed - No alert was shown - extraction completed normally
- Confirmed by reaching test assertions without interruption
- The fixture contains
-
✅ PASS: Test or code explicitly verifies non-execution
- Added explicit assertion:
diagnostics.iter().any(|d| d.contains("JavaScript was NOT executed")) - Added comprehensive security boundary documentation in
src/javascript.rs - Enhanced
test_no_js_engine_in_deps()with threat model compliance explanation
- Added explicit assertion:
-
✅ PASS: Security boundary is documented in code comments
- Added detailed security boundary documentation in
src/javascript.rsheader - Documented string-only processing (no evaluation/parsing/execution)
- Explained threat model compliance (TH-04 mitigation)
- Added inline comments in tests explaining why no side effects occur
- Added detailed security boundary documentation in
Verification Files
/home/coding/pdftract/crates/pdftract-core/src/javascript.rs- Security boundary documentation/home/coding/pdftract/crates/pdftract-core/tests/TH-04-js-presence.rs- Enhanced test coverage/home/coding/pdftract/tests/fixtures/security/embedded-js.pdf- Test fixture with JavaScript
Threat Model Compliance
TH-04: "JavaScript embedded in /AA, /OpenAction, or /JS entries triggers execution"
Mitigation: "pdftract NEVER executes embedded JavaScript; presence is flagged as a JAVASCRIPT_PRESENT diagnostic (info-level) and surfaced in the JSON output as metadata.javascript_actions[] for downstream review"
Status: ✅ VERIFIED - JavaScript is detected but NOT executed