OpenPDF is a free Java library for creating and editing PDF files, with a LGPL and MPL open source license. OpenPDF is based on a fork of iText. We welcome contributions from other developers. Please feel free to submit pull-requests and bugreports to this GitHub repository.
Other
3.61k
stars
597
forks
source link
Security risks, analysis and review of OpenPDF source code #1151
In this issue we can discuss how to perform a security review of the OpenPDF source code. There is a need for increased awareness of the security risks in the current source code, and an awareness that the current source code could contain security vulnerabilities which are not yet widely known. Security has not had the appropriate focus that it should have had at all times in the past.
In fact I would dissuade anyone from using this OpenPDF library in a critical software where security is important, because the security risks are unknown. Possibly you should use Pdfbox or iText if you care about critical security in your software application. In fact, I recommend you don't use OpenPDF for anything where security is important.
Warning: while the current OpenPDF source code is based on a fork of iText 4 svn tag, the code has been changed by multiple people over a long time. The source code is complex, and difficult to fully understand. Furthermore there have been multiple source code contributions from people who we at this time don't know if we can trust.
In particular, code contributions by anonymous people using nicknames only on GitHub is a problem, because then the identity of the people is unknown. So I recommend that in the future, only code from persons with their real name should be accepted.
In this issue we can discuss how to perform a security review of the OpenPDF source code. There is a need for increased awareness of the security risks in the current source code, and an awareness that the current source code could contain security vulnerabilities which are not yet widely known. Security has not had the appropriate focus that it should have had at all times in the past.
In fact I would dissuade anyone from using this OpenPDF library in a critical software where security is important, because the security risks are unknown. Possibly you should use Pdfbox or iText if you care about critical security in your software application. In fact, I recommend you don't use OpenPDF for anything where security is important.
Automated code scanning tools checking OpenPDF: https://app.codacy.com/gh/LibrePDF/OpenPDF/dashboard
https://www.codefactor.io/repository/github/librepdf/openpdf
https://sonarcloud.io/summary/new_code?id=LibrePDF_OpenPDF
Some relevant links: https://www.cisa.gov/sites/default/files/2023-10/Fact_Sheet_Improving_OSS_in_OT_ICS_508c.pdf
https://github.com/ossf/security-reviews
Warning: while the current OpenPDF source code is based on a fork of iText 4 svn tag, the code has been changed by multiple people over a long time. The source code is complex, and difficult to fully understand. Furthermore there have been multiple source code contributions from people who we at this time don't know if we can trust.
In particular, code contributions by anonymous people using nicknames only on GitHub is a problem, because then the identity of the people is unknown. So I recommend that in the future, only code from persons with their real name should be accepted.