FishyPDF is a viewer and analyzer for inspecting suspicious PDF files.
It is based heavily on Mozilla's PDF.js with more secure defaults and some additional analysis features added.
Since this project is a modified version of the original PDF.js web viewer, some of the code is hard to cleanly separate.
The directory third_party/pdfjs/ contains a copy of the PDF.js distribution bundle (pdfjs-3.10.111-dist.zip) with the following changes:
- changes to
viewer.html(original preserved inviewer.html.original) - removed the example file (
web/compressed.tracemonkey-pldi-09.pdf) - new files added in
web-customizations/(including a vue release bundle under a separate license inthird_party/vue) - added a
_headersfile for Cloudflare or similar and a redirectingindex.html
The third_party/pdfjs/ directory is intended to serve as the webroot.
pdfjs-server.py can be used to serve the webroot locally with CSP headers.
To make it easier to pull in new versions of pdf.js, changes should be kept
separate as far as possible (i.e. add new files in web-customizations or above
the third_party directory unless they need to be elsewhere for technical
reasons, try to avoid making changes to files from the pdf.js distribution
bundle with the exception of viewer.html).
This application was affected by CVE-2024-4367. The vulnerability allowed PDFs to execute JavaScript under the origin where the viewer was hosted, subject to the Content Security Policy. Since the viewer is meant to be hosted on an isolated origin, the impact was limited.
This is not an officially supported Google product.