Mirrors/Stirling-PDF
Mirrors/Stirling-PDF
1
0
Fork 0
mirror of https://github.com/Frooodle/Stirling-PDF.git synced 2025-11-16 01:21:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
955a26f32b
Stirling-PDF/app
History
Ludy 955a26f32b
fix(security): Harden website-to-PDF conversion (#4638) 
# Description of Changes

**What was changed**
- Fetch remote HTML content via `HttpClient` before invoking WeasyPrint
to inspect and sanitize input.
- Reject conversions when downloaded HTML contains disallowed `file:`
scheme references (including encoded/obfuscated variants) using a
compiled `Pattern`.
- Write fetched HTML to a secured temporary file and pass that path to
WeasyPrint instead of the remote URL.
- Provide `--base-url` to WeasyPrint so relative resources resolve
correctly while avoiding direct remote fetching as the primary input.
- Add comprehensive unit tests:
- Ensure command invocation uses local temp HTML + `--base-url` and
cleans up temp files.
  - Verify redirect with error when disallowed content is detected.
  - Cover temp file deletion behavior and error handling paths.
- Improve resource cleanup in `finally` blocks for both temp HTML and
output PDF artifacts.

**Why the change was made**
- Prevents traversal/local file exposure risks by blocking `file:` (and
encoded equivalents) discovered in fetched HTML.
- Reduces attack surface of URL-to-PDF by avoiding direct handing of
remote URLs to the renderer and enabling pre-validation.
- Strengthens deterministic behavior of conversions and improves safety
against SSRF-like vectors.

---

## Checklist

### General

- [ ] I have read the [Contribution
Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
- [ ] I have read the [Stirling-PDF Developer
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md)
(if applicable)
- [ ] I have read the [How to add new languages to
Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md)
(if applicable)
- [ ] I have performed a self-review of my own code
- [ ] My changes generate no new warnings

### Documentation

- [ ] I have updated relevant docs on [Stirling-PDF's doc
repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/)
(if functionality has heavily changed)
- [ ] I have read the section [Add New Translation
Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags)
(for new translation tags only)

### UI Changes (if applicable)

- [ ] Screenshots or videos demonstrating the UI changes are attached
(e.g., as comments or direct attachments in the PR)

### Testing (if applicable)

- [ ] I have tested my changes locally. Refer to the [Testing
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing)
for more details.
2025-10-16 22:41:04 +01:00
..
common fix(security): harden URL reachability to block SSRF to private/reserved networks and add unit tests (#4637) 2025-10-16 22:40:08 +01:00
core fix(security): Harden website-to-PDF conversion (#4638) 2025-10-16 22:41:04 +01:00
proprietary feat(pdf-to-cbr): integrate RAR for CBR output generation (#4626) 2025-10-10 14:10:44 +01:00
allowed-licenses.json feat(cbr-to-pdf,pdf-to-cbr): add PDF to/from CBR conversion with ebook optimization option (#4581) 2025-10-04 11:15:23 +01:00