fix: disable encrypted pdfs (#1130)

## Description Currently if you complete a pending encrypted document, it will prevent the document from being sealed due to the systems inability to decrypt it. This PR disables uploading any documents that cannot be loaded as a temporary measure. **Note** This is a client side only check ## Changes Made - Disable uploading documents that cannot be parsed - Refactor putFile to putDocumentFile - Add a flag as a backup incase something goes wrong
2025-11-15 01:01:49 +10:00 · 2024-05-03 22:25:24 +07:00
parent 15dee5ef35
commit 64e3e2c64b
10 changed files with 60 additions and 23 deletions
--- a/packages/lib/constants/feature-flags.ts
+++ b/packages/lib/constants/feature-flags.ts
@ -21,6 +21,7 @@ export const FEATURE_FLAG_POLL_INTERVAL = 30000;
 * Does not take any person or group properties into account.
 */
 export const LOCAL_FEATURE_FLAGS: Record<string, boolean> = {
+  app_allow_encrypted_documents: false,
  app_billing: NEXT_PUBLIC_FEATURE_BILLING_ENABLED() === 'true',
  app_document_page_view_history_sheet: false,
  app_passkey: WEBAPP_BASE_URL === 'http://localhost:3000', // Temp feature flag.
--- a/packages/lib/server-only/document/seal-document.ts
+++ b/packages/lib/server-only/document/seal-document.ts
@ -14,7 +14,7 @@ import { signPdf } from '@documenso/signing';

 import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { getFile } from '../../universal/upload/get-file';
-import { putFile } from '../../universal/upload/put-file';
+import { putPdfFile } from '../../universal/upload/put-file';
 import { getCertificatePdf } from '../htmltopdf/get-certificate-pdf';
 import { flattenAnnotations } from '../pdf/flatten-annotations';
 import { insertFieldInPDF } from '../pdf/insert-field-in-pdf';
@ -122,7 +122,7 @@ export const sealDocument = async ({

  const { name, ext } = path.parse(document.title);

-  const { data: newData } = await putFile({
+  const { data: newData } = await putPdfFile({
    name: `${name}_signed${ext}`,
    type: 'application/pdf',
    arrayBuffer: async () => Promise.resolve(pdfBuffer),
--- a/packages/lib/server-only/document/send-document.tsx
+++ b/packages/lib/server-only/document/send-document.tsx
@ -8,6 +8,7 @@ import { sealDocument } from '@documenso/lib/server-only/document/seal-document'
 import { updateDocument } from '@documenso/lib/server-only/document/update-document';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
 import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
+import { putPdfFile } from '@documenso/lib/universal/upload/put-file';
 import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
 import { renderCustomEmailTemplate } from '@documenso/lib/utils/render-custom-email-template';
 import { prisma } from '@documenso/prisma';
@ -20,7 +21,6 @@ import {
  RECIPIENT_ROLE_TO_EMAIL_TYPE,
 } from '../../constants/recipient-roles';
 import { getFile } from '../../universal/upload/get-file';
-import { putFile } from '../../universal/upload/put-file';
 import { insertFormValuesInPdf } from '../pdf/insert-form-values-in-pdf';
 import { triggerWebhook } from '../webhooks/trigger/trigger-webhook';

@ -102,7 +102,7 @@ export const sendDocument = async ({
      formValues: document.formValues as Record<string, string | number | boolean>,
    });

-    const newDocumentData = await putFile({
+    const newDocumentData = await putPdfFile({
      name: document.title,
      type: 'application/pdf',
      arrayBuffer: async () => Promise.resolve(prefilled),
--- a/packages/lib/universal/upload/put-file.ts
+++ b/packages/lib/universal/upload/put-file.ts
@ -1,9 +1,12 @@
 import { base64 } from '@scure/base';
 import { env } from 'next-runtime-env';
+import { PDFDocument } from 'pdf-lib';
 import { match } from 'ts-pattern';

+import { getFlag } from '@documenso/lib/universal/get-feature-flag';
 import { DocumentDataType } from '@documenso/prisma/client';

+import { AppError } from '../../errors/app-error';
 import { createDocumentData } from '../../server-only/document-data/create-document-data';

 type File = {
@ -12,14 +15,38 @@ type File = {
  arrayBuffer: () => Promise<ArrayBuffer>;
 };

+/**
+ * Uploads a document file to the appropriate storage location and creates
+ * a document data record.
+ */
+export const putPdfFile = async (file: File) => {
+  const isEncryptedDocumentsAllowed = await getFlag('app_allow_encrypted_documents').catch(
+    () => false,
+  );
+
+  // This will prevent uploading encrypted PDFs or anything that can't be opened.
+  if (!isEncryptedDocumentsAllowed) {
+    await PDFDocument.load(await file.arrayBuffer()).catch((e) => {
+      console.error(`PDF upload parse error: ${e.message}`);
+
+      throw new AppError('INVALID_DOCUMENT_FILE');
+    });
+  }
+
+  const { type, data } = await putFile(file);
+
+  return await createDocumentData({ type, data });
+};
+
+/**
+ * Uploads a file to the appropriate storage location.
+ */
 export const putFile = async (file: File) => {
  const NEXT_PUBLIC_UPLOAD_TRANSPORT = env('NEXT_PUBLIC_UPLOAD_TRANSPORT');

-  const { type, data } = await match(NEXT_PUBLIC_UPLOAD_TRANSPORT)
+  return await match(NEXT_PUBLIC_UPLOAD_TRANSPORT)
    .with('s3', async () => putFileInS3(file))
    .otherwise(async () => putFileInDatabase(file));
-
-  return await createDocumentData({ type, data });
 };

 const putFileInDatabase = async (file: File) => {