self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2024-11-24 08:12:24 +02:00
Code Issues Releases Activity

Desktop: Disable eval in pdf.js (#10450)

Browse Source
This commit is contained in:
Henry Heino 2024-05-21 02:00:17 -07:00 committed by GitHub
parent 3312bd27c9
commit 9fcaf5bd18
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
packages/lib/shim-init-node.ts
View File

@ -736,8 +736,16 @@ function shimInit(options: ShimInitOptions = null) {
}
};
const getPdfJsDocument = (path: string) => {
return pdfJs.getDocument({
url: path,
// IMPORTANT: Set to false to mitigate CVE-2024-4367.
isEvalSupported: false,
});
};
shim.pdfExtractEmbeddedText = async (pdfPath: string): Promise<string[]> => {
const loadingTask = pdfJs.getDocument(pdfPath);
const loadingTask = getPdfJsDocument(pdfPath);
const doc = await loadingTask.promise;
const textByPage = [];
@ -791,7 +799,7 @@ function shimInit(options: ShimInitOptions = null) {
const filePrefix = `page_${Date.now()}`;
const output: string[] = [];
const loadingTask = pdfJs.getDocument(pdfPath);
const loadingTask = getPdfJsDocument(pdfPath);
const doc = await loadingTask.promise;
try {

4
packages/pdf-viewer/PdfDocument.ts
View File

@ -20,9 +20,9 @@ export default class PdfDocument {
this.rendererMutex = withTimeout(new Mutex(), 40 * 1000);
}
public loadDoc = async (url: string | Uint8Array) => {
public loadDoc = async (url: string) => {
this.url = url;
const loadingTask = pdfjsLib.getDocument(url);
const loadingTask = pdfjsLib.getDocument({ url, isEvalSupported: false });
try {
const pdfDocument: any = await loadingTask.promise;
this.doc = pdfDocument;