search

GrapheneOS / PdfViewer

Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions. The PDF stream is fed into the sandboxed WebView without giving it access to content or files. CSP is used to enforce that the JavaScript and styling properties within the WebView are entirely static.
https://grapheneos.org/
MIT License
598 stars 98 forks source link

Set isEvalSupported to false #356

Closed colleirose closed 3 months ago

colleirose commented 4 months ago

This reduces attack surface and mitigates CVE-2024-4367

thestinger commented 4 months ago

Please read https://discuss.grapheneos.org/d/12627-information-regarding-security-of-pdf-viewer-app.

thestinger commented 4 months ago

We've never supported using eval for anything due to our Content-Security-Policy not allowing unsafe-eval. It would be fine to turn off eval at this layer in addition to the more reliable systemic disabling via Content-Security-Policy. We've regularly tested that pdf.js handles having it disabled via CSP. I don't think they used to have an option to disable it so we've always simply relied on the fact that they can handle it being disallowed as a whole and fall back to doing things another way.

We can disable their usage of eval in this more specific way too, but the commit message should note that it has always been disabled at another layer (CSP). It doesn't make sense to mention CVE-2024-4367 in this way since they fixed it through removing that functionality and it didn't impact us so we don't need to mitigate it as we have always prevented that class of vulnerability.

thestinger commented 3 months ago

Included in https://github.com/GrapheneOS/PdfViewer/pull/364.