ng2-pdfjs-viewer icon indicating copy to clipboard operation
ng2-pdfjs-viewer copied to clipboard

Published 20 hours ago verified publisher icon intbot

Prevent Loading Unwanted Documents by URL in External Viewer

Open maks-humeniuk opened this issue 1 year ago • 1 comments

Bug Report or Feature Request (mark with an x)
- [ ] Regression (a behavior that used to work and stopped working in a new release)
- [ ] Bug report -> please search issues before submitting
- [x] Feature request
- [ ] Documentation issue or request

I'm using the library to load documents by BLOB in external viewer, which opens the document in a new browser tab. The URL then looks like this: https://localhost:4200/assets/pdfjs/web/viewer.html?file=blob%3Ahttps%3A%2F%2Flocalhost%3A4200%2F00ff689b-bfca-44d0-bea7-a8331c073397&viewerId=ng2-pdfjs-viewer-ID1&beforePrint=true&afterPrint=true&pagesLoaded=true&pageChange=true&fileName=Car%20Loan%20Agreement.pdf&openFile=true&download=true&viewBookmark=true&print=true&fullScreen=true&find=true&locale=en-GB#&page=1&errorMessage=undefined&errorAppend=true

However, nothing prevents user from changing file query parameter value to e.g. this: https://localhost:4200/assets/pdfjs/web/viewer.html?file=https://corsproxy.io/?https://appex.no/wp-content/uploads/2024/06/test-pdf.pdf

This exposes the app to phishing attacks.

Could I somehow prevent such behavior in any way?

maks-humeniuk avatar Jun 25 '24 10:06 maks-humeniuk

The same story with errorMessage:

The error message displayed on the page can be controlled by an attacker via the "errorMessage" parameter. An attacker could craft a convincing message to trick a user into revealing their account information or visiting a malicious site.

/assets/pdfjs/web/viewer.html?errorMessage=Your%20account%20has%20been%20blocked,%20please%20visit%20www.attacker.com%20to%20restore%20access&errorAppend=true

AlexanderMezentsev avatar Sep 03 '24 15:09 AlexanderMezentsev

@maks-humeniuk @AlexanderMezentsev Both are good thoughts.

@AlexanderMezentsev The error message issue is fixed in the latest version (v 25.x) @maks-humeniuk, I will address the file issue in the upcoming issue.

My thoughts are to give "allowedDomains" as an optional parameter. That way, you may control user from changing the URL and seeing a file.

codehippie1 avatar Sep 24 '25 02:09 codehippie1

I revised my approach slightly and implemented it differently. This is supported neatly now. You can't change the blob or file path now and expect the PDF viewer to work. I also provide a way for users to show a security warning message using ng-template if the URL is changed (This is optional)

codehippie1 avatar Sep 25 '25 01:09 codehippie1