Implement Asset Sanitizer Queue & Preview Check (#16053)

* Improve: add sanitizing pdf * Improve: add sanitizing pdf * Review changes - use scan instead of sanitizing * Review changes - generate a version after scanning * Review changes * Update doc/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md * Apply suggestions from code review Co-authored-by: Jacob Dreesen <jacob@hdreesen.de> * Update models/Asset/Document.php Co-authored-by: Jacob Dreesen <jacob@hdreesen.de> * Review changes * Update doc/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md Co-authored-by: aryaantony92 <97134765+aryaantony92@users.noreply.github.com> --------- Co-authored-by: Divesh Pahuja <divesh.pahuja@pimcore.com> Co-authored-by: Jacob Dreesen <jacob@hdreesen.de> Co-authored-by: aryaantony92 <97134765+aryaantony92@users.noreply.github.com>
pimcore · Oct 9, 2023 · 7573756 · 7573756
1 parent a789673
commit 7573756
Show file tree

Hide file tree

Showing 7 changed files with 93 additions and 0 deletions.
diff --git a/bundles/CoreBundle/src/DependencyInjection/Configuration.php b/bundles/CoreBundle/src/DependencyInjection/Configuration.php
@@ -553,6 +553,10 @@ private function addAssetNode(ArrayNodeDefinition $rootNode): void
                                 ->defaultTrue()
                                 ->info('Process text for Asset documents (e.g. used by backend search).')
                             ->end()
+                            ->booleanNode('scan_pdf')
+                                ->defaultTrue()
+                                ->info('Scan PDF documents for unsafe JavaScript.')
+                            ->end()
                         ->end()
                     ->end()
                     ->arrayNode('versions')

diff --git a/doc/04_Assets/README.md b/doc/04_Assets/README.md
@@ -28,6 +28,7 @@ pimcore:
                 enabled: false #disable generating thumbnail for asset documents
             process_page_count: false #disable processing page count
             process_text: false #disable processing text extraction
+            scan_pdf: false #disable scanning PDF documents for unsafe JavaScript.
 ```
 
 The sub chapters of this chapter provide insight into details for

diff --git a/doc/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md b/doc/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md
@@ -20,6 +20,8 @@ pimcore:
                 enabled: false #disable generating thumbnail for asset documents
             process_page_count: false #disable processing page count
             process_text: false #disable processing text extraction
+            scan_pdf: false #disable scanning PDF documents for unsafe JavaScript.
+
 ```
 - [Elements] Properties are now only updated in the database with dirty state (when calling `setProperties` or `setProperty`).
 - `Pimcore\Helper\CsvFormulaFormatter` has been deprecated. Use `League\Csv\EscapeFormula` instead.

diff --git a/lib/Messenger/Handler/AssetUpdateTasksHandler.php b/lib/Messenger/Handler/AssetUpdateTasksHandler.php
@@ -62,6 +62,10 @@ private function saveAsset(Asset $asset): void
 
     private function processDocument(Asset\Document $asset): void
     {
+        if ($asset->getMimeType() === 'application/pdf' && $asset->checkIfPdfContainsJS()) {
+            $asset->save(['versionNote' => 'PDF scan result']);
+        }
+
         $pageCount = $asset->getCustomSetting('document_page_count');
         if (!$pageCount || $pageCount === 'failed') {
             if ($asset->processPageCount()) {

diff --git a/models/Asset/Document.php b/models/Asset/Document.php
@@ -26,6 +26,8 @@
  */
 class Document extends Model\Asset
 {
+    public const CUSTOM_SETTING_PDF_SCAN_STATUS = 'document_pdf_scan_status';
+
     protected string $type = 'document';
 
     protected function update(array $params = []): void
@@ -163,6 +165,53 @@ public function getText(int $page = null): ?string
         return null;
     }
 
+    public function checkIfPdfContainsJS(): bool
+    {
+        if (!$this->isPdfScanningEnabled()) {
+           return false;
+        }
+
+        $this->setCustomSetting(
+            self::CUSTOM_SETTING_PDF_SCAN_STATUS,
+            Model\Asset\Enum\PdfScanStatus::IN_PROGRESS->value
+        );
+
+        $chunkSize = 1024;
+        $filePointer = $this->getStream();
+
+        $tagLength = strlen('/JS');
+
+        while ($chunk = fread($filePointer, $chunkSize)) {
+            if (strlen($chunk) <= $tagLength) {
+                break;
+            }
+
+            if (str_contains($chunk, '/JS') || str_contains($chunk, '/JavaScript')) {
+                $this->setCustomSetting(
+                    self::CUSTOM_SETTING_PDF_SCAN_STATUS,
+                    Model\Asset\Enum\PdfScanStatus::UNSAFE->value
+                );
+                return true;
+            }
+        }
+
+        $this->setCustomSetting(
+            self::CUSTOM_SETTING_PDF_SCAN_STATUS,
+            Model\Asset\Enum\PdfScanStatus::SAFE->value
+        );
+
+        return true;
+    }
+
+    public function getScanStatus(): ?Model\Asset\Enum\PdfScanStatus
+    {
+        if ($scanStatus = $this->getCustomSetting(self::CUSTOM_SETTING_PDF_SCAN_STATUS)) {
+            return Model\Asset\Enum\PdfScanStatus::tryFrom($scanStatus);
+        }
+
+        return null;
+    }
+
     private function isThumbnailsEnabled(): bool
     {
         return Config::getSystemConfiguration('assets')['document']['thumbnails']['enabled'];
@@ -177,4 +226,9 @@ private function isTextProcessingEnabled(): bool
     {
         return Config::getSystemConfiguration('assets')['document']['process_text'];
     }
+
+    private function isPdfScanningEnabled(): bool
+    {
+        return Config::getSystemConfiguration('assets')['document']['scan_pdf'];
+    }
 }
diff --git a/models/Asset/Enum/PdfScanStatus.php b/models/Asset/Enum/PdfScanStatus.php
@@ -0,0 +1,24 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * Pimcore
+ *
+ * This source file is available under two different licenses:
+ * - GNU General Public License version 3 (GPLv3)
+ * - Pimcore Commercial License (PCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ *  @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
+ *  @license    http://www.pimcore.org/license     GPLv3 and PCL
+ */
+
+namespace Pimcore\Model\Asset\Enum;
+
+enum PdfScanStatus: string
+{
+    case SAFE = 'safe';
+    case UNSAFE = 'unsafe';
+    case IN_PROGRESS = 'inProgress';
+}
diff --git a/models/Element/Service.php b/models/Element/Service.php
@@ -731,6 +731,10 @@ public static function renewReferences(mixed $data, bool $initial = true, string
             return $data;
         }
         if (is_object($data)) {
+            if ($data instanceof \UnitEnum) {
+                return $data;
+            }
+
             if ($data instanceof ElementInterface && !$initial) {
                 return self::getElementById(self::getElementType($data), $data->getId());
             }