Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

feat: add PDF URL validation and content type check #1896

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

Conversation

@Yukaii
Copy link
Member

@Yukaii Yukaii commented Mar 19, 2025
edited
Loading

Companion test script

A bun proxy server that serve xss content https://william957-web.github.io/meow_xss.html

// pdf-proxy.js
const server = Bun.serve({
 port: 5678,
 async fetch(req) {
 // Only handle requests to our proxy endpoint
 const url = new URL(req.url);
 if (url.pathname !== "/proxy-as-pdf.pdf") {
 return new Response("Not Found", { status: 404 });
 }
 try {
 // Fetch the original HTML content
 const response = await fetch("https://william957-web.github.io/meow_xss.html");
 const originalContent = await response.text();
 // Return the HTML content with PDF content type
 return new Response(originalContent, {
 headers: {
 "Content-Type": "application/pdf",
 "Content-Disposition": "inline; filename=document.pdf"
 }
 });
 } catch (error) {
 console.error("Error fetching the content:", error);
 return new Response("Error proxying the content", { status: 500 });
 }
 }
});
console.log(`PDF proxy server running at http://localhost:${server.port}`);

And reverse proxy

caddy reverse-proxy --from local.localhost --to localhost:5678 --internal-certs

And embed with:

{%pdf https://local.localhost/proxy-as-pdf.pdf %}

@Yukaii Yukaii linked an issue Mar 19, 2025 that may be closed by this pull request 
Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>
@Yukaii Yukaii force-pushed the bugfix/dev-1876-improper-pdf-link-handling-leading-xss branch from 695f27e to 55e9de3 Compare March 19, 2025 12:46
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds PDF URL validation and a content type check to improve the reliability of PDF embedding.

  • Added an async function isPdfUrl in utils.js to check if a URL returns a PDF Content-Type.
  • Updated extra.js to perform both extension and content type checks before embedding a PDF.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
public/js/utils.js Added isPdfUrl to fetch HEAD and validate the Content-Type header
public/js/extra.js Integrated PDF validation logic with both extension and content type checks

Copy link
Contributor

@EastSun5566 EastSun5566 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Yukaii Yukaii added this to the 2.6.0 milestone May 8, 2025
@Yukaii Yukaii merged commit ae80b92 into develop May 15, 2025
7 checks passed
@Yukaii Yukaii deleted the bugfix/dev-1876-improper-pdf-link-handling-leading-xss branch May 15, 2025 05:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@EastSun5566 EastSun5566 EastSun5566 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.6.0

Development

Successfully merging this pull request may close these issues.

Impropper url embed with PDF leading XSS and DoS

AltStyle によって変換されたページ (->オリジナル) /