Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PDF.js Vulnerability #234

Closed
joshuanapoli opened this issue May 22, 2024 · 5 comments
Closed

PDF.js Vulnerability #234

joshuanapoli opened this issue May 22, 2024 · 5 comments

Comments

@joshuanapoli
Copy link

joshuanapoli commented May 22, 2024
edited
Loading

The pdfjs-dist dependency is pinned to version 3.2.146 which has vulnerability CVE-2024-4367. This is fixed in pdfjs-dist version 4.2.67.

This should be solved by #233... but there is a problem with "PromiseWithResolvers". The TypeScript error might be avoided by setting skipLibCheck in tsconfig.

Unfortunately that still leaves the following error, which I don't know how to solve.

src/index.ts:111:15 - error TS2740: Type 'CanvasRenderingContext2D' is missing the following properties from type 'CanvasRenderingContext2D': getContextAttributes, isPointInStroke, createConicGradient, filter, and 5 more.

111               canvasContext: context,
                  ~~~~~~~~~~~~~

  node_modules/pdfjs-dist/types/src/display/api.d.ts:372:5
    372     canvasContext: CanvasRenderingContext2D;
            ~~~~~~~~~~~~~
    The expected type comes from property 'canvasContext' which is declared here on type 'RenderParameters'


Found 1 error in src/index.ts:111
@k-yle
Copy link
Owner

k-yle commented May 22, 2024
edited
Loading

thanks for the heads up. unfortunately this fix has not been backported to v3.

v4 is a breaking change which no longer includes a commonjs export, so there is no way that we can fix this without forcing all users of this package to upgrade to esm modules.

Even a dynamic import (await import("pdfjs-dist/legacy/build/pdf.mjs")) doesn't work because the compiled code uses top-level await. I'll take a more detailed look tomorrow, but as far as I can tell there is no way to fix this in a backwards compatible manner 🙁

k-yle added a commit that referenced this issue May 23, 2024
@k-yle
disableisEvalSupported by default
bdac3a1 
workaround for CVE-2024-4367, see #234
@joshuanapoli
Copy link
Author

Ok, thank you for checking. I also tried upgrading pdfjs-dist. I couldn't find a way to make it work.

@k-yle
Copy link
Owner

k-yle commented May 25, 2024

In mozilla/pdf.js#18168 (comment), the maintainers confirmed that the patch will not be backported to v3.

So, I've released a new version of this module, which sets isEvalSupported to false by default: bdac3a1, 4a9b1d4

@k-yle k-yle closed this as completed May 25, 2024
@marlon-sousa
Copy link

Hello,

We are having audit issues because of pdfjs-dist.

By reading this issue, I understand that although eval is set to false, the "problematic" dependency still exists, and that there is no way around it.

Is this right?

If so, is there a way we can just ignore that in the audit scripts?

@k-yle
Copy link
Owner

k-yle commented May 29, 2024

Yes, if you upgrade to v3 of this library, then eval is disabled by default, so there is no risk.

Unfortunately, audit tools won't understand this :(

I'm looking into alternative solutions that won't force everyone to use ESM modules and nodejs v22, but there's no straightforward solution

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joshuanapoli @k-yle @marlon-sousa