Implement TH-07 security test validating that PDF password ingress channels properly prevent password disclosure via process arg list. Test cases: - --password VALUE rejected with exit 64 without opt-in - --password VALUE with PDFTRACT_INSECURE_CLI_PASSWORD=1 proceeds with warning - --password-stdin works correctly - PDFTRACT_PASSWORD env var works correctly - Password leaks in /proc/<pid>/cmdline under opt-in (proving the vulnerability) - Password does NOT leak with --password-stdin or env var Closes: pdftract-43jxa |
||
|---|---|---|
| .. | ||
| benches | ||
| build | ||
| examples | ||
| proptest-regressions/parser/lexer | ||
| src | ||
| tests | ||
| __test__.pdf | ||
| build.rs | ||
| Cargo.toml | ||
| pdftract-core.cdx.json | ||
| README.md | ||
pdftract-core
The core Rust library for PDF text extraction. This crate provides the parsing, layout analysis, font encoding recovery, and text extraction primitives used by the CLI (pdftract-cli) and Python bindings (pdftract-py).
Cargo.lock Policy
This workspace checks in Cargo.lock at the repository root. This is unconventional for library crates—the Cargo Book historically suggested that only binary crates should check in lockfiles, allowing library consumers to resolve their own dependency versions.
pdftract departs from this convention for release reproducibility:
-
SLSA Level 3 provenance requires that every milestone tag produces byte-identical artifacts across builds. Without a checked-in lockfile, two runs of
cargo buildon the same commit can resolve different transitive dependency versions, producing different binary hashes. -
Multi-output artifacts—this workspace produces Rust crates (
pdftract-core,pdftract-cli), Python wheels (pdftract-py), and Docker images. All must be built from the same dependency tree. -
Supply-chain security—the lockfile pins checksums for all transitive dependencies, enabling
cargo auditto detect yanked or compromised crates. -
Downstream consumers can still ignore the lockfile if needed. Cargo allows
cargo build --frozenwith a local lockfile override, or consumers can vendor the crate with their own dependency resolution.
The tradeoff—occasional merge conflicts when PRs update overlapping dependencies—is worth the guarantee of reproducible releases. See CONTRIBUTING.md for the lockfile-update workflow.
Modules
parser: PDF spec parsing (xref, trailer, object streams, indirect references)font: Font encoding recovery, glyph name lookup, fingerprintinglayout: Page layout analysis, region segmentation, reading orderextract: Text extraction with provenance (bounding boxes, confidence scores)ocr: Tesseract integration for raster pages
Usage
use pdftract_core::{extract_text, ExtractOptions};
let options = ExtractOptions::default();
let result = extract_text("document.pdf", &options)?;
println!("{}", result.text);