From 9fcaf5bd18663dca503e2e563bf92c0c84e2a163 Mon Sep 17 00:00:00 2001 From: Henry Heino <46334387+personalizedrefrigerator@users.noreply.github.com> Date: Tue, 21 May 2024 02:00:17 -0700 Subject: [PATCH] Desktop: Disable eval in pdf.js (#10450) --- packages/lib/shim-init-node.ts | 12 ++++++++++-- packages/pdf-viewer/PdfDocument.ts | 4 ++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/packages/lib/shim-init-node.ts b/packages/lib/shim-init-node.ts index fea43da4fc4..b60409d624e 100644 --- a/packages/lib/shim-init-node.ts +++ b/packages/lib/shim-init-node.ts @@ -736,8 +736,16 @@ function shimInit(options: ShimInitOptions = null) { } }; + const getPdfJsDocument = (path: string) => { + return pdfJs.getDocument({ + url: path, + // IMPORTANT: Set to false to mitigate CVE-2024-4367. + isEvalSupported: false, + }); + }; + shim.pdfExtractEmbeddedText = async (pdfPath: string): Promise => { - const loadingTask = pdfJs.getDocument(pdfPath); + const loadingTask = getPdfJsDocument(pdfPath); const doc = await loadingTask.promise; const textByPage = []; @@ -791,7 +799,7 @@ function shimInit(options: ShimInitOptions = null) { const filePrefix = `page_${Date.now()}`; const output: string[] = []; - const loadingTask = pdfJs.getDocument(pdfPath); + const loadingTask = getPdfJsDocument(pdfPath); const doc = await loadingTask.promise; try { diff --git a/packages/pdf-viewer/PdfDocument.ts b/packages/pdf-viewer/PdfDocument.ts index d592ba2d7cc..8e2b56317b1 100644 --- a/packages/pdf-viewer/PdfDocument.ts +++ b/packages/pdf-viewer/PdfDocument.ts @@ -20,9 +20,9 @@ export default class PdfDocument { this.rendererMutex = withTimeout(new Mutex(), 40 * 1000); } - public loadDoc = async (url: string | Uint8Array) => { + public loadDoc = async (url: string) => { this.url = url; - const loadingTask = pdfjsLib.getDocument(url); + const loadingTask = pdfjsLib.getDocument({ url, isEvalSupported: false }); try { const pdfDocument: any = await loadingTask.promise; this.doc = pdfDocument;