Security Bug: Client-side File Processing Allows Potential Exploits

[sjsreehari]

Issue:
The application processes user-uploaded PDF and DOCX files entirely on the client-side using third-party libraries (pdf.js and mammoth.js). However, there is currently no validation or sanitization of file contents before processing.

Impact:
Malicious files could exploit vulnerabilities in pdf.js or mammoth.js if not properly sandboxed. There is no warning for unsupported or potentially dangerous file types, and no mitigation measures are evident.

Details:

<script src="https://cdnjs.cloudflare.com/ajax/libs/pdf.js/2.16.105/pdf.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/mammoth/1.4.16/mammoth.browser.min.js"></script>

Recommended Actions:

• Add file type validation and sanitization before processing uploads.
• Display warnings to users about potential risks associated with uploading files.
• Investigate sandboxing or isolating third-party library execution.
• Consider server-side scanning or checks for malicious files before client-side processing.

References:

• pdf.js security documentation
• mammoth.js security

---

This issue is raised for improving the security posture of the application and protecting users from possible client-side exploits due to unsafe file handling.

[github-actions]

Thank you for raising this issue!

We'll review it as soon as possible. Kindly Star the repo ⭐ We truly appreciate your contributions! ✨

Meanwhile make sure you've visited the README.md, CONTRIBUTING.md, and CODE_OF_CONDUCT.md before creating a PR for this. Also, please do NOT create a PR until this issue has been assigned to you. 😊

[VAMSHIYADAV46]

@sjsreehari you can work and open a pr now