Security status of the project

50 views
Skip to first unread message

Paul Pop

unread,
Sep 27, 2024, 2:11:44 PM9/27/24
to Flying Saucer Users
Hello, I find this project very helpful, but I wanted to ask how secure it is when used with dynamic HTML for PDF generation. Could an attacker, in theory, gain any permission to the server running Flying Saucer if they have control over the HTML string that's then used to create the PDF? Is the parsing/rendering done in a secure manner? 

Thanks, and all the best.

Andrei Solntsev

unread,
Sep 28, 2024, 5:02:27 AM9/28/24
to flying-sa...@googlegroups.com
Hi Paul!
If I say "FS is absolutely secure", will you trust me? ;)

Short answer: I don't know. 
But at least I am not aware of any CVEs related to FlyingSaucer. 

If you get any more information on this topic, please let us know.

Andrei Solntsev


пт, 27 сент. 2024 г. в 21:11, Paul Pop <paul.po...@gmail.com>:
Hello, I find this project very helpful, but I wanted to ask how secure it is when used with dynamic HTML for PDF generation. Could an attacker, in theory, gain any permission to the server running Flying Saucer if they have control over the HTML string that's then used to create the PDF? Is the parsing/rendering done in a secure manner? 

Thanks, and all the best.

--
You received this message because you are subscribed to the Google Groups "Flying Saucer Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to flying-saucer-u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/flying-saucer-users/960a401f-a257-491b-88ef-86c5a2a40d91n%40googlegroups.com.

Peter Brant

unread,
Sep 28, 2024, 10:22:04 AM9/28/24
to flying-sa...@googlegroups.com
Hi Paul,

It's incautious to allow unsanitized, user-provided HTML in your PDFs/database/etc. I'd strongly recommend against it regardless. We use https://owasp.org/www-project-java-html-sanitizer/ at work.

FS was certainly not designed with that in mind. It also doesn't provide the usual XSS-type guarantees that a browser does. For example, I'm fairly sure providing an img tag with an absolute file:// URL would allow a user to read any image format supported by FS that is accessible to the server. Note that this includes PDF files which are treated as vector graphics.

I doubt this extends to actual code execution or privilege escalation though.



To view this discussion on the web visit https://groups.google.com/d/msgid/flying-saucer-users/CAE7WSaGnoXBeVO3p9QBsX5jnCLz5A_2FuOOaxiaraJUYwYnLRw%40mail.gmail.com.

Paul Pop

unread,
Sep 28, 2024, 4:10:26 PM9/28/24
to Flying Saucer Users
Thanks for taking the time to answer, Peter and Andrei.
That's precisely what I had in mind, Peter, and thanks for the suggestion. I have a small printing use case where the input is safe, in theory (it's not directly user-provided), but I was thinking just in case it were tampered with, I should avoid a potential vulnerability scenario. Hopefully the sanitization will suffice.

And finally, thanks for maintaining the project. This is my first time attempting to generate PDFs with Java and I'm surprised there's no 'standard' Java API to do these conversions... apart maybe from the paid, cloud-based (and very expensive, afaik) one from Adobe...
Reply all
Reply to author
Forward
0 new messages