Desktop: Disable eval in pdf.js (#10450)

laurent22 · May 21, 2024 · 9fcaf5b · 9fcaf5b
1 parent 3312bd2
commit 9fcaf5b
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/packages/lib/shim-init-node.ts b/packages/lib/shim-init-node.ts
@@ -736,8 +736,16 @@ function shimInit(options: ShimInitOptions = null) {
 		}
 	};
 
+	const getPdfJsDocument = (path: string) => {
+		return pdfJs.getDocument({
+			url: path,
+			// IMPORTANT: Set to false to mitigate CVE-2024-4367.
+			isEvalSupported: false,
+		});
+	};
+
 	shim.pdfExtractEmbeddedText = async (pdfPath: string): Promise<string[]> => {
-		const loadingTask = pdfJs.getDocument(pdfPath);
+		const loadingTask = getPdfJsDocument(pdfPath);
 		const doc = await loadingTask.promise;
 		const textByPage = [];
 
@@ -791,7 +799,7 @@ function shimInit(options: ShimInitOptions = null) {
 
 		const filePrefix = `page_${Date.now()}`;
 		const output: string[] = [];
-		const loadingTask = pdfJs.getDocument(pdfPath);
+		const loadingTask = getPdfJsDocument(pdfPath);
 		const doc = await loadingTask.promise;
 
 		try {

diff --git a/packages/pdf-viewer/PdfDocument.ts b/packages/pdf-viewer/PdfDocument.ts
@@ -20,9 +20,9 @@ export default class PdfDocument {
 		this.rendererMutex = withTimeout(new Mutex(), 40 * 1000);
 	}
 
-	public loadDoc = async (url: string | Uint8Array) => {
+	public loadDoc = async (url: string) => {
 		this.url = url;
-		const loadingTask = pdfjsLib.getDocument(url);
+		const loadingTask = pdfjsLib.getDocument({ url, isEvalSupported: false });
 		try {
 			const pdfDocument: any = await loadingTask.promise;
 			this.doc = pdfDocument;