Skip to content

fix: Update getDocument calls to include data and isEvalSupported options #1182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 9, 2025
Merged

fix: Update getDocument calls to include data and isEvalSupported options #1182

merged 1 commit into from
Sep 9, 2025

Conversation

@hand-dot
Copy link
Collaborator

@hand-dot hand-dot commented Sep 9, 2025

@vercel
Copy link

vercel bot commented Sep 9, 2025

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Preview Updated (UTC)
pdfme-playground Ignored Ignored Sep 9, 2025 6:15am

@dosubot dosubot bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Sep 9, 2025
greptile-apps[bot]
greptile-apps bot reviewed Sep 9, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Greptile Summary

This PR implements a critical security fix for CVE-2024-4367 by modifying PDF.js getDocument API calls across the converter package. The changes update both browser and Node.js implementations to disable JavaScript evaluation during PDF parsing.

The core modification transforms getDocument calls from pdfjsLib.getDocument(pdf) to pdfjsLib.getDocument({ data: pdf, isEvalSupported: false }). This change is applied consistently to both pdf2img and pdf2size functions in both index.browser.ts and index.node.ts files.

The vulnerability (CVE-2024-4367) in PDF.js version 3.11.174 allowed malicious PDF files to execute JavaScript code during parsing. By explicitly setting isEvalSupported: false, this fix prevents potential arbitrary code execution while maintaining all existing PDF processing functionality. The change uses the object parameter format for getDocument calls, which is the recommended approach for security configuration in newer PDF.js versions.

This security hardening affects the converter package's core functionality for converting PDFs to images and extracting PDF dimensions, ensuring these operations are performed safely without the risk of JavaScript execution from untrusted PDF content.

Confidence score: 5/5

  • This PR is extremely safe to merge as it addresses a critical security vulnerability with minimal risk
  • Score reflects a straightforward security fix that disables a dangerous feature without breaking existing functionality
  • No files require special attention as the changes are identical, minimal, and well-documented security hardening

2 files reviewed, no comments

Edit Code Review Bot Settings | Greptile

@dosubot dosubot bot added the bug Something isn't working label Sep 9, 2025
@hand-dot hand-dot merged commit 2a1ea0e into main Sep 9, 2025
7 checks passed
@dosubot dosubot bot mentioned this pull request Sep 30, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug Something isn't working size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hand-dot