npm - nodebb-plugin-pdf-secure - Versions diffs - 1.2.5 → 1.2.7 - Mend

nodebb-plugin-pdf-secure 1.2.5 → 1.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/library.js CHANGED Viewed

@@ -26,6 +26,14 @@ plugin.init = async (params) => {
 		console.error('[PDF-Secure] Failed to cache viewer template:', err.message);
 	}
+	// Double slash bypass protection - catches /uploads//files/ attempts
+	router.use((req, res, next) => {
+		if (req.path.includes('//') && req.path.toLowerCase().includes('.pdf')) {
+			return res.status(403).json({ error: 'Invalid path' });
+		}
+		next();
+	});
 	// PDF direct access blocker middleware
 	// Intercepts requests to uploaded PDF files and returns 403
 	router.get('/assets/uploads/files/:filename', (req, res, next) => {
@@ -115,4 +123,68 @@ plugin.addAdminNavigation = (header) => {
 	return header;
 };
+// Filter meta tags to hide PDF URLs and filenames
+plugin.filterMetaTags = async (hookData) => {
+	if (!hookData || !hookData.tags) {
+		return hookData;
+	}
+	// Filter out PDF-related meta tags
+	hookData.tags = hookData.tags.filter(tag => {
+		// Remove og:image and og:image:url if it contains .pdf
+		if ((tag.property === 'og:image' || tag.property === 'og:image:url') && tag.content && tag.content.toLowerCase().includes('.pdf')) {
+			return false;
+		}
+		// Remove twitter:image if it contains .pdf
+		if (tag.name === 'twitter:image' && tag.content && tag.content.toLowerCase().includes('.pdf')) {
+			return false;
+		}
+		return true;
+	});
+	// Sanitize description to hide .pdf extensions
+	hookData.tags = hookData.tags.map(tag => {
+		if ((tag.name === 'description' || tag.property === 'og:description') && tag.content) {
+			// Replace .pdf extension with empty string in description
+			tag.content = tag.content.replace(/\.pdf/gi, '');
+		}
+		return tag;
+	});
+	return hookData;
+};
+// Transform PDF links to secure placeholders (server-side)
+// This hides PDF URLs from: page source, API, RSS, ActivityPub
+plugin.transformPdfLinks = async (data) => {
+	if (!data || !data.postData || !data.postData.content) {
+		return data;
+	}
+	// Regex to match PDF links: <a href="...xxx.pdf">text</a>
+	// Captures: full URL path, filename, link text
+	const pdfLinkRegex = /<a\s+[^>]*href=["']([^"']*\/([^"'\/]+\.pdf))["'][^>]*>([^<]*)<\/a>/gi;
+	data.postData.content = data.postData.content.replace(pdfLinkRegex, (match, fullPath, filename, linkText) => {
+		// Decode filename to prevent double encoding (URL may already be encoded)
+		let decodedFilename;
+		try { decodedFilename = decodeURIComponent(filename); }
+		catch (e) { decodedFilename = filename; }
+		// Sanitize for HTML attribute
+		const safeFilename = decodedFilename.replace(/[<>"'&]/g, '');
+		const displayName = linkText.trim() || safeFilename;
+		// Return secure placeholder div instead of actual link
+		return `<div class="pdf-secure-placeholder" data-filename="${safeFilename}">
+			<svg viewBox="0 0 24 24" style="width:20px;height:20px;fill:#e81224;vertical-align:middle;margin-right:8px;">
+				<path d="M14 2H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>
+			</svg>
+			<span>${displayName}</span>
+		</div>`;
+	});
+	return data;
+};
 module.exports = plugin;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "nodebb-plugin-pdf-secure",
-  "version": "1.2.5",
+  "version": "1.2.7",
   "description": "Secure PDF viewer plugin for NodeBB - prevents downloading, enables canvas-only rendering with Premium group support",
   "main": "library.js",
   "repository": {

package/plugin.json CHANGED Viewed

@@ -14,6 +14,14 @@
 		{
 			"hook": "filter:admin.header.build",
 			"method": "addAdminNavigation"
+		},
+		{
+			"hook": "filter:meta.getMetaTags",
+			"method": "filterMetaTags"
+		},
+		{
+			"hook": "filter:parse.post",
+			"method": "transformPdfLinks"
 		}
 	],
 	"staticDirs": {

package/static/lib/main.js CHANGED Viewed

@@ -2,6 +2,26 @@
 // Main plugin logic - PDF links become inline embedded viewers with lazy loading + queue
 (async function () {
+	// ============================================
+	// PDF.js PRELOAD - Cache CDN assets before iframe loads
+	// ============================================
+	(function preloadPdfJs() {
+		const preloads = [
+			{ href: 'https://cdnjs.cloudflare.com/ajax/libs/pdf.js/3.11.174/pdf.min.js', as: 'script' },
+			{ href: 'https://cdnjs.cloudflare.com/ajax/libs/pdf.js/3.11.174/pdf_viewer.min.css', as: 'style' }
+		];
+		preloads.forEach(({ href, as }) => {
+			if (!document.querySelector(`link[href="${href}"]`)) {
+				const link = document.createElement('link');
+				link.rel = 'preload';
+				link.href = href;
+				link.as = as;
+				link.crossOrigin = 'anonymous';
+				document.head.appendChild(link);
+			}
+		});
+	})();
 	// Loading queue - only load one PDF at a time
 	const loadQueue = [];
 	let isLoading = false;
@@ -9,6 +29,9 @@
 	// Listen for postMessage from iframe when PDF is fully rendered
 	window.addEventListener('message', function (event) {
+		// Security: Only accept messages from same origin
+		if (event.origin !== window.location.origin) return;
 		if (event.data && event.data.type === 'pdf-secure-ready') {
 			console.log('[PDF-Secure] Queue: PDF ready -', event.data.filename);
 			if (currentResolver) {
@@ -59,8 +82,20 @@
 		var postContents = document.querySelectorAll('[component="post/content"]');
 		postContents.forEach(function (content) {
-			var pdfLinks = content.querySelectorAll('a[href$=".pdf"], a[href$=".PDF"]');
+			// NEW: Detect server-rendered secure placeholders (hides URL from source)
+			var placeholders = content.querySelectorAll('.pdf-secure-placeholder');
+			placeholders.forEach(function (placeholder) {
+				if (placeholder.dataset.pdfSecureProcessed) return;
+				placeholder.dataset.pdfSecureProcessed = 'true';
+				var filename = placeholder.dataset.filename;
+				var displayName = placeholder.querySelector('span')?.textContent || filename;
+				createPdfViewer(placeholder, filename, displayName);
+			});
+			// FALLBACK: Detect old-style PDF links (for backwards compatibility)
+			var pdfLinks = content.querySelectorAll('a[href$=".pdf"], a[href$=".PDF"]');
 			pdfLinks.forEach(function (link) {
 				if (link.dataset.pdfSecure) return;
 				link.dataset.pdfSecure = 'true';
@@ -68,112 +103,119 @@
 				var href = link.getAttribute('href');
 				var parts = href.split('/');
 				var filename = parts[parts.length - 1];
+				var displayName = link.textContent || filename;
-				// Create container
-				var container = document.createElement('div');
-				container.className = 'pdf-secure-embed';
-				container.style.cssText = 'margin:16px 0;border-radius:12px;overflow:hidden;background:#1f1f1f;border:1px solid rgba(255,255,255,0.1);box-shadow:0 4px 20px rgba(0,0,0,0.25);';
-				// Header
-				var header = document.createElement('div');
-				header.className = 'pdf-secure-embed-header';
-				header.style.cssText = 'display:flex;align-items:center;justify-content:space-between;padding:10px 16px;background:linear-gradient(135deg,#2d2d2d 0%,#252525 100%);border-bottom:1px solid rgba(255,255,255,0.08);';
-				var title = document.createElement('div');
-				title.className = 'pdf-secure-embed-title';
-				title.style.cssText = 'display:flex;align-items:center;gap:10px;color:#fff;font-size:14px;font-weight:500;';
-				var icon = document.createElementNS('http://www.w3.org/2000/svg', 'svg');
-				icon.setAttribute('viewBox', '0 0 24 24');
-				icon.style.cssText = 'width:20px;height:20px;min-width:20px;max-width:20px;fill:#e81224;flex-shrink:0;';
-				icon.innerHTML = '<path d="M14 2H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>';
-				var nameSpan = document.createElement('span');
-				nameSpan.style.cssText = 'white-space:nowrap;overflow:hidden;text-overflow:ellipsis;max-width:400px;';
-				nameSpan.textContent = decodeURIComponent(link.textContent || filename);
-				title.appendChild(icon);
-				title.appendChild(nameSpan);
-				// Actions
-				var actions = document.createElement('div');
-				actions.style.cssText = 'display:flex;gap:8px;';
-				var fullscreenBtn = document.createElement('button');
-				fullscreenBtn.className = 'pdf-secure-fullscreen-btn';
-				fullscreenBtn.title = 'Tam Ekran';
-				fullscreenBtn.style.cssText = 'display:flex;align-items:center;justify-content:center;width:32px;height:32px;background:rgba(255,255,255,0.08);border:none;border-radius:6px;cursor:pointer;';
-				var fullscreenIcon = document.createElementNS('http://www.w3.org/2000/svg', 'svg');
-				fullscreenIcon.setAttribute('viewBox', '0 0 24 24');
-				fullscreenIcon.style.cssText = 'width:18px;height:18px;min-width:18px;max-width:18px;fill:#fff;';
-				fullscreenIcon.innerHTML = '<path d="M7 14H5v5h5v-2H7v-3zm-2-4h2V7h3V5H5v5zm12 7h-3v2h5v-5h-2v3zM14 5v2h3v3h2V5h-5z"/>';
-				fullscreenBtn.appendChild(fullscreenIcon);
-				actions.appendChild(fullscreenBtn);
-				header.appendChild(title);
-				header.appendChild(actions);
-				container.appendChild(header);
-				// Body with loading placeholder
-				var iframeWrapper = document.createElement('div');
-				iframeWrapper.className = 'pdf-secure-embed-body';
-				iframeWrapper.style.cssText = 'position:relative;width:100%;height:600px;background:#525659;';
-				// Loading placeholder - ALWAYS VISIBLE until PDF ready (z-index: 10)
-				var loadingPlaceholder = document.createElement('div');
-				loadingPlaceholder.className = 'pdf-loading-placeholder';
-				loadingPlaceholder.style.cssText = 'position:absolute;top:0;left:0;right:0;bottom:0;display:flex;flex-direction:column;align-items:center;justify-content:center;background:#2d2d2d;color:#fff;gap:16px;z-index:10;transition:opacity 0.3s;';
-				loadingPlaceholder.innerHTML = `
+				createPdfViewer(link, filename, displayName);
+			});
+		});
+	}
+	function createPdfViewer(targetElement, filename, displayName) {
+		// Create container
+		var container = document.createElement('div');
+		container.className = 'pdf-secure-embed';
+		container.style.cssText = 'margin:16px 0;border-radius:12px;overflow:hidden;background:#1f1f1f;border:1px solid rgba(255,255,255,0.1);box-shadow:0 4px 20px rgba(0,0,0,0.25);';
+		// Header
+		var header = document.createElement('div');
+		header.className = 'pdf-secure-embed-header';
+		header.style.cssText = 'display:flex;align-items:center;justify-content:space-between;padding:10px 16px;background:linear-gradient(135deg,#2d2d2d 0%,#252525 100%);border-bottom:1px solid rgba(255,255,255,0.08);';
+		var title = document.createElement('div');
+		title.className = 'pdf-secure-embed-title';
+		title.style.cssText = 'display:flex;align-items:center;gap:10px;color:#fff;font-size:14px;font-weight:500;';
+		var icon = document.createElementNS('http://www.w3.org/2000/svg', 'svg');
+		icon.setAttribute('viewBox', '0 0 24 24');
+		icon.style.cssText = 'width:20px;height:20px;min-width:20px;max-width:20px;fill:#e81224;flex-shrink:0;';
+		icon.innerHTML = '<path d="M14 2H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>';
+		var nameSpan = document.createElement('span');
+		nameSpan.style.cssText = 'white-space:nowrap;overflow:hidden;text-overflow:ellipsis;max-width:400px;';
+		try { nameSpan.textContent = decodeURIComponent(displayName); }
+		catch (e) { nameSpan.textContent = displayName; }
+		title.appendChild(icon);
+		title.appendChild(nameSpan);
+		// Actions
+		var actions = document.createElement('div');
+		actions.style.cssText = 'display:flex;gap:8px;';
+		var fullscreenBtn = document.createElement('button');
+		fullscreenBtn.className = 'pdf-secure-fullscreen-btn';
+		fullscreenBtn.title = 'Tam Ekran';
+		fullscreenBtn.style.cssText = 'display:flex;align-items:center;justify-content:center;width:32px;height:32px;background:rgba(255,255,255,0.08);border:none;border-radius:6px;cursor:pointer;';
+		var fullscreenIcon = document.createElementNS('http://www.w3.org/2000/svg', 'svg');
+		fullscreenIcon.setAttribute('viewBox', '0 0 24 24');
+		fullscreenIcon.style.cssText = 'width:18px;height:18px;min-width:18px;max-width:18px;fill:#fff;';
+		fullscreenIcon.innerHTML = '<path d="M7 14H5v5h5v-2H7v-3zm-2-4h2V7h3V5H5v5zm12 7h-3v2h5v-5h-2v3zM14 5v2h3v3h2V5h-5z"/>';
+		fullscreenBtn.appendChild(fullscreenIcon);
+		actions.appendChild(fullscreenBtn);
+		header.appendChild(title);
+		header.appendChild(actions);
+		container.appendChild(header);
+		// Body with loading placeholder
+		var iframeWrapper = document.createElement('div');
+		iframeWrapper.className = 'pdf-secure-embed-body';
+		iframeWrapper.style.cssText = 'position:relative;width:100%;height:600px;background:#525659;';
+		// Loading placeholder - ALWAYS VISIBLE until PDF ready (z-index: 10)
+		var loadingPlaceholder = document.createElement('div');
+		loadingPlaceholder.className = 'pdf-loading-placeholder';
+		loadingPlaceholder.style.cssText = 'position:absolute;top:0;left:0;right:0;bottom:0;display:flex;flex-direction:column;align-items:center;justify-content:center;background:#2d2d2d;color:#fff;gap:16px;z-index:10;transition:opacity 0.3s;';
+		loadingPlaceholder.innerHTML = `
 					<svg viewBox="0 0 24 24" style="width:48px;height:48px;fill:#555;">
 						<path d="M14 2H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>
 					</svg>
 					<div class="pdf-loading-text" style="font-size:14px;color:#a0a0a0;">Sırada bekliyor...</div>
 					<style>@keyframes spin{from{transform:rotate(0deg)}to{transform:rotate(360deg)}}</style>
 				`;
-				iframeWrapper.appendChild(loadingPlaceholder);
+		iframeWrapper.appendChild(loadingPlaceholder);
-				container.appendChild(iframeWrapper);
+		container.appendChild(iframeWrapper);
-				// Fullscreen handler
-				fullscreenBtn.addEventListener('click', function () {
-					var iframe = iframeWrapper.querySelector('iframe');
-					if (iframe) {
-						if (iframe.requestFullscreen) iframe.requestFullscreen();
-						else if (iframe.webkitRequestFullscreen) iframe.webkitRequestFullscreen();
+		// Fullscreen handler
+		fullscreenBtn.addEventListener('click', function () {
+			var iframe = iframeWrapper.querySelector('iframe');
+			if (iframe) {
+				if (iframe.requestFullscreen) iframe.requestFullscreen();
+				else if (iframe.webkitRequestFullscreen) iframe.webkitRequestFullscreen();
+			}
+		});
+		targetElement.replaceWith(container);
+		// LAZY LOADING with Intersection Observer + Queue
+		var observer = new IntersectionObserver(function (entries) {
+			entries.forEach(function (entry) {
+				if (entry.isIntersecting) {
+					// Update placeholder to show loading state
+					var textEl = loadingPlaceholder.querySelector('.pdf-loading-text');
+					if (textEl) textEl.textContent = 'PDF Yükleniyor...';
+					var svgEl = loadingPlaceholder.querySelector('svg');
+					if (svgEl) {
+						svgEl.style.fill = '#0078d4';
+						svgEl.style.animation = 'spin 1s linear infinite';
+						svgEl.innerHTML = '<path d="M12 4V2A10 10 0 0 0 2 12h2a8 8 0 0 1 8-8z"/>';
 					}
-				});
-				link.replaceWith(container);
-				// LAZY LOADING with Intersection Observer + Queue
-				var observer = new IntersectionObserver(function (entries) {
-					entries.forEach(function (entry) {
-						if (entry.isIntersecting) {
-							// Update placeholder to show loading state
-							var textEl = loadingPlaceholder.querySelector('.pdf-loading-text');
-							if (textEl) textEl.textContent = 'PDF Yükleniyor...';
-							var svgEl = loadingPlaceholder.querySelector('svg');
-							if (svgEl) {
-								svgEl.style.fill = '#0078d4';
-								svgEl.style.animation = 'spin 1s linear infinite';
-								svgEl.innerHTML = '<path d="M12 4V2A10 10 0 0 0 2 12h2a8 8 0 0 1 8-8z"/>';
-							}
-							// Add to queue
-							queuePdfLoad(iframeWrapper, filename, loadingPlaceholder);
-							observer.disconnect();
-						}
-					});
-				}, {
-					rootMargin: '200px',
-					threshold: 0
-				});
-				observer.observe(container);
+					// Add to queue
+					queuePdfLoad(iframeWrapper, filename, loadingPlaceholder);
+					observer.disconnect();
+				}
 			});
+		}, {
+			rootMargin: '200px',
+			threshold: 0
 		});
+		observer.observe(container);
 	}
 	function loadPdfIframe(wrapper, filename, placeholder) {

package/static/viewer.html CHANGED Viewed

@@ -1334,6 +1334,34 @@
         (function () {
             'use strict';
+            // ============================================
+            // CANVAS EXPORT PROTECTION
+            // Block toDataURL/toBlob for PDF render canvas only
+            // Allows: thumbnails, annotations, other canvases
+            // ============================================
+            const originalToDataURL = HTMLCanvasElement.prototype.toDataURL;
+            const originalToBlob = HTMLCanvasElement.prototype.toBlob;
+            HTMLCanvasElement.prototype.toDataURL = function () {
+                // Block only main PDF page canvases (inside .page elements in #viewerContainer)
+                if (this.closest && this.closest('.page') && this.closest('#viewerContainer')) {
+                    console.warn('[Security] Canvas toDataURL blocked for PDF page');
+                    return 'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==';  // 1x1 transparent
+                }
+                return originalToDataURL.apply(this, arguments);
+            };
+            HTMLCanvasElement.prototype.toBlob = function (callback) {
+                // Block only main PDF page canvases
+                if (this.closest && this.closest('.page') && this.closest('#viewerContainer')) {
+                    console.warn('[Security] Canvas toBlob blocked for PDF page');
+                    // Return empty blob
+                    if (callback) callback(new Blob([], { type: 'image/png' }));
+                    return;
+                }
+                return originalToBlob.apply(this, arguments);
+            };
             pdfjsLib.GlobalWorkerOptions.workerSrc = '';
             // State - now private, not accessible from console
@@ -1520,6 +1548,10 @@
                     // Security: Delete config containing sensitive data (nonce, key)
                     delete window.PDF_SECURE_CONFIG;
+                    // Security: Remove PDF.js globals to prevent console manipulation
+                    delete window.pdfjsLib;
+                    delete window.pdfjsViewer;
                     // Security: Block dangerous PDF.js methods
                     if (pdfDoc) {
                         pdfDoc.getData = function () {
@@ -1536,6 +1568,17 @@
                 } catch (err) {
                     console.error('[PDF-Secure] Auto-load error:', err);
+                    // Notify parent of error (prevents 60s queue hang)
+                    if (window.parent && window.parent !== window) {
+                        const config = window.PDF_SECURE_CONFIG || {};
+                        window.parent.postMessage({
+                            type: 'pdf-secure-ready',
+                            filename: config.filename,
+                            error: err.message
+                        }, '*');
+                    }
                     if (dropzone) {
                         dropzone.innerHTML = `
                         <svg viewBox="0 0 24 24" style="fill: #e81224;">