fix: Prevent local file access by default using the localUrlAccess: false option

BREAKING CHANGE: Prevent local file access by default to fix a security issue.
Please provide the `localUrlAccess: true` option if you want to keep the old behavior
but keep your system vulnerable to local file access.

Author: marcbachmann

README.md

@@ -125,14 +125,16 @@ config = {
   "zoomFactor": "1", // default is 1
 
   // File options
-  "type": "pdf",             // allowed file types: png, jpeg, pdf
-  "quality": "75",           // only used for types png & jpeg
+  "type": "pdf",           // allowed file types: png, jpeg, pdf
+  "quality": "75",         // only used for types png & jpeg
 
   // Script options
   "phantomPath": "./node_modules/phantomjs/bin/phantomjs", // PhantomJS binary which should get downloaded automatically
   "phantomArgs": [], // array of strings used as phantomjs args e.g. ["--ignore-ssl-errors=yes"]
-  "script": '/url',           // Absolute path to a custom phantomjs script, use the file in lib/scripts as example
-  "timeout": 30000,           // Timeout that will cancel phantomjs, in milliseconds
+  "localUrlAccess": false, // Prevent local file:// access by passing '--local-url-access=false' to phantomjs
+                           // For security reasons you should keep the default value if you render arbritary html/js.
+  "script": '/url',        // Absolute path to a custom phantomjs script, use the file in lib/scripts as example
+  "timeout": 30000,        // Timeout that will cancel phantomjs, in milliseconds
 
   // Time we should wait after window load
   // accepted values are 'manual', some delay in milliseconds or undefined to wait for a render event

lib/pdf.js

@@ -35,6 +35,8 @@ function PDF (html, options) {
   if (this.options.filename) this.options.filename = path.resolve(this.options.filename)
   if (!this.options.phantomPath) this.options.phantomPath = phantomjs && phantomjs.path
   this.options.phantomArgs = this.options.phantomArgs || []
+
+  if (this.options.localUrlAccess) this.options.phantomArgs.push('--local-url-access=false')
   assert(this.options.phantomPath, "html-pdf: Failed to load PhantomJS module. You have to set the path to the PhantomJS binary using 'options.phantomPath'")
   assert(typeof this.html === 'string' && this.html.length, "html-pdf: Can't create a pdf without an html string")
   this.options.timeout = parseInt(this.options.timeout, 10) || 30000

test/index.js

@@ -228,3 +228,33 @@ test('load with cookies js', function (t) {
     })
   })
 })
+
+test('allows local file access with localUrlAccess=true', function (t) {
+  t.plan(2)
+
+  pdf.create(`
+    <body>here is an iframe which receives the cookies
+      <iframe src="file://${path.join(__dirname, 'multiple-pages.html')}" width="400" height="100"></iframe>
+    </body>
+  `, {localUrlAccess: true})
+  .toBuffer(function (error, buffer) {
+    t.error(error)
+    const count = buffer.toString().match(/\/Type \/Page\n/g).length
+    t.assert(count === 1, 'Renders a page with 1 page as the content is missing')
+  })
+})
+
+test('does not allow localUrlAccess by default', function (t) {
+  t.plan(2)
+
+  pdf.create(`
+    <body>here is an iframe which receives the cookies
+      <iframe src="file://${path.join(__dirname, 'multiple-pages.html')}" width="400" height="100"></iframe>
+    </body>
+  `)
+  .toBuffer(function (error, buffer) {
+    t.error(error)
+    const count = buffer.toString().match(/\/Type \/Page\n/g).length
+    t.assert(count === 5, 'Renders a page 5 pages as the content is present')
+  })
+})