- Create benches/results/.gitkeep and README.md - Create benches/competitors/run_all.py Python orchestration script - Script runs competitor benchmarks (pdftract, pdfminer.six, pypdf, pdfplumber) - Emits benches/results/<commit-sha>.json with throughput metrics - Add tier4-competitor-runner to pdftract-ci Argo WorkflowTemplate - Runs only on main branch to track performance over time - Acceptance criteria: ratio_pdfminer ≥ 10.0, ratio_pypdf ≥ 5.0 Closes bf-2f5ew Files created: - benches/results/.gitkeep - benches/results/README.md - benches/competitors/run_all.py - notes/bf-2f5ew.md Files modified: - .ci/argo-workflows/pdftract-ci.yaml
74 lines
3.7 KiB
Markdown
74 lines
3.7 KiB
Markdown
# bf-ieaa9: Verify no JavaScript execution during extraction
|
|
|
|
## Summary
|
|
|
|
Verified that pdftract does NOT execute embedded JavaScript during PDF extraction, confirming the TH-04 threat model mitigation.
|
|
|
|
## What Was Done
|
|
|
|
### 1. Dependency Verification
|
|
- Verified no JavaScript engine dependencies in the cargo tree
|
|
- Confirmed absence of: `boa`, `deno_core`, `v8`, `quickjs`, `rusty_javascript`, `rquickjs`, `js-sys`
|
|
- Without a JS engine, JavaScript execution is impossible at the binary level
|
|
|
|
### 2. Code Review: src/javascript.rs
|
|
- Confirmed only string extraction via `String::from_utf8_lossy()`
|
|
- No `eval()`, `exec()`, or any code execution primitives
|
|
- Added comprehensive security boundary documentation (TH-04) explaining:
|
|
- No JavaScript Engine: No dependency on JS execution engines
|
|
- String-Only Processing: JavaScript code extracted as raw byte strings
|
|
- Explicit Diagnostic: Emits "JavaScript was NOT executed" message
|
|
|
|
### 3. Enhanced Test Coverage: tests/TH-04-js-presence.rs
|
|
- Added explicit assertion that diagnostic states "JavaScript was NOT executed"
|
|
- Added security boundary verification comments explaining why no side effects occur
|
|
- Enhanced `test_no_js_engine_in_deps()` with comprehensive documentation
|
|
- All 4 tests pass: `test_javascript_detection`, `test_no_javascript`, `test_no_js_engine_in_deps`, `test_json_output_includes_javascript_actions`
|
|
|
|
### 4. Runtime Verification
|
|
Extracted `tests/fixtures/security/embedded-js.pdf` which contains:
|
|
- `app.alert("pwn")` in catalog `/OpenAction`
|
|
- `app.alert('page_open')` in page 0 `/AA/O`
|
|
- `app.alert('annot_action')` in page 1 annotation `/A`
|
|
|
|
Result:
|
|
- Extraction succeeded (exit 0)
|
|
- Diagnostic emitted: "Detected 1 JavaScript action(s) in PDF document. JavaScript was NOT executed."
|
|
- No `app.alert()` popup displayed (no side effects)
|
|
- JavaScript extracted as string data only: `"app.alert(\"pwn\")"`
|
|
|
|
## Acceptance Criteria
|
|
|
|
- ✅ **PASS**: Extraction completes without executing JavaScript
|
|
- Verified: Extracted embedded-js.pdf successfully, no side effects occurred
|
|
- No panic, abort, or popup from `app.alert()` calls
|
|
|
|
- ✅ **PASS**: No app.alert or other JS side effects occur
|
|
- The fixture contains `app.alert("pwn")` which would display a dialog if executed
|
|
- No alert was shown - extraction completed normally
|
|
- Confirmed by reaching test assertions without interruption
|
|
|
|
- ✅ **PASS**: Test or code explicitly verifies non-execution
|
|
- Added explicit assertion: `diagnostics.iter().any(|d| d.contains("JavaScript was NOT executed"))`
|
|
- Added comprehensive security boundary documentation in `src/javascript.rs`
|
|
- Enhanced `test_no_js_engine_in_deps()` with threat model compliance explanation
|
|
|
|
- ✅ **PASS**: Security boundary is documented in code comments
|
|
- Added detailed security boundary documentation in `src/javascript.rs` header
|
|
- Documented string-only processing (no evaluation/parsing/execution)
|
|
- Explained threat model compliance (TH-04 mitigation)
|
|
- Added inline comments in tests explaining why no side effects occur
|
|
|
|
## Verification Files
|
|
|
|
- `/home/coding/pdftract/crates/pdftract-core/src/javascript.rs` - Security boundary documentation
|
|
- `/home/coding/pdftract/crates/pdftract-core/tests/TH-04-js-presence.rs` - Enhanced test coverage
|
|
- `/home/coding/pdftract/tests/fixtures/security/embedded-js.pdf` - Test fixture with JavaScript
|
|
|
|
## Threat Model Compliance
|
|
|
|
**TH-04**: "JavaScript embedded in `/AA`, `/OpenAction`, or `/JS` entries triggers execution"
|
|
|
|
**Mitigation**: "pdftract NEVER executes embedded JavaScript; presence is flagged as a `JAVASCRIPT_PRESENT` diagnostic (info-level) and surfaced in the JSON output as `metadata.javascript_actions[]` for downstream review"
|
|
|
|
**Status**: ✅ VERIFIED - JavaScript is detected but NOT executed
|