pdftract/notes/pdftract-1i366.md

pdftract-1i366: Security Constraints Documentation

Summary

Task 6.4.5: Security constraints documented + sample reverse-proxy configs (nginx + Traefik)

Work Completed

Acceptance Criteria Status

PASS - Startup banner printed clearly on serve start

• Location: crates/pdftract-cli/src/serve.rs:463
• Banner text: "*** NO BUILT-IN AUTH *** — Deploy behind a reverse proxy for production."
• Also prints max upload size and max decompression size

PASS - Attempted file-path parameter returns 404

• By design: no endpoints accept file paths from server filesystem
• All PDFs arrive via multipart/form-data upload only
• Routes: POST /extract, POST /extract/text, POST /extract/stream, GET /health
• File-path parameters (e.g., GET /extract?path=/etc/passwd) would return 404 as no such route exists

PASS - Decompression limit enforced

• Test fixture: crates/pdftract-core/tests/TH-01-stream-bomb.rs
• ExtractionOptions.max_decompress_bytes enforces limit
• Server default: --max-decompress-gb CLI flag (1 GB default)
• Per-request override: max_decompress_gb form field
• Hard cap validation: 4096 GB maximum to prevent integer overflow

PASS - Sample configs committed and validated

• docs/operations/serve-nginx-example.conf - nginx config with BasicAuth
• docs/operations/serve-traefik-example.yaml - Traefik config with BasicAuth
• Both configs validated for syntax and structure:
  • nginx: server block, location blocks, proxy_pass, auth_basic, ssl_certificate all present
  • Traefik: http section with routers, services, middlewares all present

PASS - CLI help reflects the security model

• Location: crates/pdftract-cli/src/main.rs:220-250
• Documents: no built-in auth, deploy behind reverse proxy, multipart-only upload model
• Also includes concurrency model documentation

Implementation Details

CLI Flags

• --max-upload-mb: Maximum request body size (default: 256 MB, hard cap: 4096 MB)
• --max-decompress-gb: Maximum decompression size (default: 1 GB)
• --bind: Bind address with validation warning for 0.0.0.0

Bind Address Validation

• Location: crates/pdftract-cli/src/main.rs:1626-1631
• Warns if binding to 0.0.0.0 or [::]:

  *** WARNING: Binding to 0.0.0.0:8080 exposes pdftract serve on ALL interfaces.
  *** pdftract serve has NO BUILT-IN AUTHENTICATION.
  *** Deploy behind a reverse proxy (nginx, Traefik, Caddy) for production use.
  

Request Size Limit

• Implemented via tower-http::RequestBodyLimit (imported) and axum::extract::DefaultBodyLimit
• Custom rejection handler converts tower-http's plain-text 413 to JSON error body
• Error format: {"error":"REQUEST_TOO_LARGE","message":"Request body exceeds the configured limit"}

Decompression Limit

• Server default from --max-decompress-gb CLI flag
• Per-request override via max_decompress_gb form field
• Hard cap of 4096 GB enforced in build_options()
• Converts GB to bytes: (gb as u64) * (1 << 30)

Fixes Made

Fixed test compilation error in crates/pdftract-cli/src/serve.rs:1354:

• Added missing pages field to ExtractParams test initialization
• Changed: pages: Some("1-5".to_string())

Fixed test compilation errors in crates/pdftract-core/tests/struct_tree_coverage.rs:

• Added missing max_decompress_bytes, output, and pages fields to ExtractionOptions initializations
• Used Default::default() for output field

Test Evidence

1. Startup banner: Verified in serve.rs lines 462-478
2. No file-path parameters: Verified by design - no routes accept paths
3. Decompression limit: TH-01 test exists at crates/pdftract-core/tests/TH-01-stream-bomb.rs
4. Sample configs: Validated for syntax (nginx) and structure (Traefik)
5. CLI help: Verified security model documentation in main.rs

References

• Plan section: Phase 6.4 security constraints (lines 2136-2139)
• Security Hardening epic: pdftract-bgj