pdftract/notes/bf-ieaa9.md
jedarden b970bc2d66 feat(bf-2f5ew): add Tier 4 competitive benchmark runner and results structure
- Create benches/results/.gitkeep and README.md
- Create benches/competitors/run_all.py Python orchestration script
- Script runs competitor benchmarks (pdftract, pdfminer.six, pypdf, pdfplumber)
- Emits benches/results/<commit-sha>.json with throughput metrics
- Add tier4-competitor-runner to pdftract-ci Argo WorkflowTemplate
- Runs only on main branch to track performance over time
- Acceptance criteria: ratio_pdfminer ≥ 10.0, ratio_pypdf ≥ 5.0

Closes bf-2f5ew

Files created:
- benches/results/.gitkeep
- benches/results/README.md
- benches/competitors/run_all.py
- notes/bf-2f5ew.md

Files modified:
- .ci/argo-workflows/pdftract-ci.yaml
2026-07-05 12:42:15 -04:00

74 lines
3.7 KiB
Markdown

# bf-ieaa9: Verify no JavaScript execution during extraction
## Summary
Verified that pdftract does NOT execute embedded JavaScript during PDF extraction, confirming the TH-04 threat model mitigation.
## What Was Done
### 1. Dependency Verification
- Verified no JavaScript engine dependencies in the cargo tree
- Confirmed absence of: `boa`, `deno_core`, `v8`, `quickjs`, `rusty_javascript`, `rquickjs`, `js-sys`
- Without a JS engine, JavaScript execution is impossible at the binary level
### 2. Code Review: src/javascript.rs
- Confirmed only string extraction via `String::from_utf8_lossy()`
- No `eval()`, `exec()`, or any code execution primitives
- Added comprehensive security boundary documentation (TH-04) explaining:
- No JavaScript Engine: No dependency on JS execution engines
- String-Only Processing: JavaScript code extracted as raw byte strings
- Explicit Diagnostic: Emits "JavaScript was NOT executed" message
### 3. Enhanced Test Coverage: tests/TH-04-js-presence.rs
- Added explicit assertion that diagnostic states "JavaScript was NOT executed"
- Added security boundary verification comments explaining why no side effects occur
- Enhanced `test_no_js_engine_in_deps()` with comprehensive documentation
- All 4 tests pass: `test_javascript_detection`, `test_no_javascript`, `test_no_js_engine_in_deps`, `test_json_output_includes_javascript_actions`
### 4. Runtime Verification
Extracted `tests/fixtures/security/embedded-js.pdf` which contains:
- `app.alert("pwn")` in catalog `/OpenAction`
- `app.alert('page_open')` in page 0 `/AA/O`
- `app.alert('annot_action')` in page 1 annotation `/A`
Result:
- Extraction succeeded (exit 0)
- Diagnostic emitted: "Detected 1 JavaScript action(s) in PDF document. JavaScript was NOT executed."
- No `app.alert()` popup displayed (no side effects)
- JavaScript extracted as string data only: `"app.alert(\"pwn\")"`
## Acceptance Criteria
-**PASS**: Extraction completes without executing JavaScript
- Verified: Extracted embedded-js.pdf successfully, no side effects occurred
- No panic, abort, or popup from `app.alert()` calls
-**PASS**: No app.alert or other JS side effects occur
- The fixture contains `app.alert("pwn")` which would display a dialog if executed
- No alert was shown - extraction completed normally
- Confirmed by reaching test assertions without interruption
-**PASS**: Test or code explicitly verifies non-execution
- Added explicit assertion: `diagnostics.iter().any(|d| d.contains("JavaScript was NOT executed"))`
- Added comprehensive security boundary documentation in `src/javascript.rs`
- Enhanced `test_no_js_engine_in_deps()` with threat model compliance explanation
-**PASS**: Security boundary is documented in code comments
- Added detailed security boundary documentation in `src/javascript.rs` header
- Documented string-only processing (no evaluation/parsing/execution)
- Explained threat model compliance (TH-04 mitigation)
- Added inline comments in tests explaining why no side effects occur
## Verification Files
- `/home/coding/pdftract/crates/pdftract-core/src/javascript.rs` - Security boundary documentation
- `/home/coding/pdftract/crates/pdftract-core/tests/TH-04-js-presence.rs` - Enhanced test coverage
- `/home/coding/pdftract/tests/fixtures/security/embedded-js.pdf` - Test fixture with JavaScript
## Threat Model Compliance
**TH-04**: "JavaScript embedded in `/AA`, `/OpenAction`, or `/JS` entries triggers execution"
**Mitigation**: "pdftract NEVER executes embedded JavaScript; presence is flagged as a `JAVASCRIPT_PRESENT` diagnostic (info-level) and surfaced in the JSON output as `metadata.javascript_actions[]` for downstream review"
**Status**: ✅ VERIFIED - JavaScript is detected but NOT executed