SPLAT-4180 add stricter checking of encription

Author: petarjakopec

bundle/Controller/Resource/Upload.php

@@ -27,8 +27,12 @@
 use function is_array;
 use function is_file;
 use function is_readable;
+use function filesize;
+use function preg_match;
+use function strrpos;
 use function strpos;
 use function strtolower;
+use function substr;
 
 use const SEEK_END;
 
@@ -142,17 +146,36 @@ private function isEncryptedPdf(UploadedFile $file): bool
             return false;
         }
 
-        $head = (string) fread($fp, 4096);
+        $fileSize = filesize($path);
 
-        @fseek($fp, -16384, SEEK_END);
-        $tail = (string) fread($fp, 16384);
+        // For small PDFs, `head` and `tail` reads can overlap and even fully duplicate the file contents.
+        // This can re-introduce false positives (e.g. `/Encrypt` in a trailing comment after `%%EOF`).
+        // In that case, scan the full content once.
+        if ($fileSize !== false && $fileSize <= 20480) {
+            $content = (string) fread($fp, $fileSize);
+        } else {
+            $head = (string) fread($fp, 4096);
+
+            @fseek($fp, -16384, SEEK_END);
+            $tail = (string) fread($fp, 16384);
+
+            $content = $head . $tail;
+        }
 
         fclose($fp);
 
-        if (strpos($head, '%PDF-') !== 0) {
+        if (strpos($content, '%PDF-') !== 0) {
             return false;
         }
 
-        return strpos($head . $tail, '/Encrypt') !== false;
+        // Ignore anything after the last EOF marker (some tools append non-PDF comments/metadata).
+        $eofPos = strrpos($content, '%%EOF');
+        if ($eofPos !== false) {
+            $content = substr($content, 0, $eofPos + 5);
+        }
+
+        // Detect presence of encryption dictionary reference in PDF object context.
+        // This avoids false positives where `/Encrypt` appears in metadata or trailing comments.
+        return (bool) preg_match('/\/(?:Encrypt)\s+(\d+|<<)/m', $content);
     }
 }

tests/bundle/Controller/Resource/UploadTest.php

@@ -270,6 +270,178 @@ public function testUploadEncryptedPdfIsRaw(): void
         unlink($tmpPdfPath);
     }
 
+    public function testUploadPdfWithEncryptInMetadataIsAuto(): void
+    {
+        $tmpPdfPath = (string) tempnam(sys_get_temp_dir(), 'ngrm_unencrypted_pdf_metadata_');
+        file_put_contents(
+            $tmpPdfPath,
+            "%PDF-1.7\n1 0 obj\n<< /Type /Catalog >>\nendobj\n" .
+            "/Title (/Encrypt)\n" .
+            "%%EOF\n",
+        );
+
+        $request = new Request();
+        $request->request->add([
+            'folder' => 'media/document',
+        ]);
+
+        $uploadedFileMock = $this->createMock(UploadedFile::class);
+
+        $uploadedFileMock
+            ->expects(self::once())
+            ->method('isFile')
+            ->willReturn(true);
+
+        // getRealPath is used for md5 hash + FileStruct + encryption detector
+        $uploadedFileMock
+            ->expects(self::exactly(4))
+            ->method('getRealPath')
+            ->willReturn($tmpPdfPath);
+
+        $uploadedFileMock
+            ->expects(self::exactly(2))
+            ->method('getClientOriginalName')
+            ->willReturn('unencrypted.pdf');
+
+        // getClientOriginalExtension is used for FileStruct + encryption detector
+        $uploadedFileMock
+            ->expects(self::exactly(3))
+            ->method('getClientOriginalExtension')
+            ->willReturn('pdf');
+
+        $request->files->add([
+            'file' => $uploadedFileMock,
+        ]);
+
+        $this->fileHashFactoryMock
+            ->expects(self::once())
+            ->method('createHash')
+            ->with($tmpPdfPath)
+            ->willReturn('md5hash');
+
+        $fileStruct = FileStruct::fromUploadedFile($uploadedFileMock);
+
+        $resourceStruct = new ResourceStruct(
+            $fileStruct,
+            'auto',
+            Folder::fromPath('media/document'),
+            'public',
+            $request->request->get('filename'),
+        );
+
+        $resource = new RemoteResource(
+            remoteId: 'upload|auto|media/document/unencrypted.pdf',
+            type: 'auto',
+            url: 'https://cloudinary.com/test/upload/auto/media/document/unencrypted.pdf',
+            md5: 'md5hash',
+            name: 'unencrypted.pdf',
+            folder: Folder::fromPath('media/document'),
+            size: 123,
+        );
+
+        $this->providerMock
+            ->expects(self::once())
+            ->method('upload')
+            ->with($resourceStruct)
+            ->willReturn($resource);
+
+        $this->providerMock
+            ->expects(self::exactly(0))
+            ->method('buildVariation');
+
+        $response = $this->controller->__invoke($request);
+
+        self::assertInstanceOf(JsonResponse::class, $response);
+
+        unlink($tmpPdfPath);
+    }
+
+    public function testUploadPdfWithEncryptInTrailingCommentAfterEofIsAuto(): void
+    {
+        $tmpPdfPath = (string) tempnam(sys_get_temp_dir(), 'ngrm_unencrypted_pdf_comment_');
+        file_put_contents(
+            $tmpPdfPath,
+            "%PDF-1.7\n1 0 obj\n<< /Type /Catalog >>\nendobj\n" .
+            "%%EOF\n" .
+            "% /Encrypt 2 0 R\n",
+        );
+
+        $request = new Request();
+        $request->request->add([
+            'folder' => 'media/document',
+        ]);
+
+        $uploadedFileMock = $this->createMock(UploadedFile::class);
+
+        $uploadedFileMock
+            ->expects(self::once())
+            ->method('isFile')
+            ->willReturn(true);
+
+        // getRealPath is used for md5 hash + FileStruct + encryption detector
+        $uploadedFileMock
+            ->expects(self::exactly(4))
+            ->method('getRealPath')
+            ->willReturn($tmpPdfPath);
+
+        $uploadedFileMock
+            ->expects(self::exactly(2))
+            ->method('getClientOriginalName')
+            ->willReturn('unencrypted.pdf');
+
+        // getClientOriginalExtension is used for FileStruct + encryption detector
+        $uploadedFileMock
+            ->expects(self::exactly(3))
+            ->method('getClientOriginalExtension')
+            ->willReturn('pdf');
+
+        $request->files->add([
+            'file' => $uploadedFileMock,
+        ]);
+
+        $this->fileHashFactoryMock
+            ->expects(self::once())
+            ->method('createHash')
+            ->with($tmpPdfPath)
+            ->willReturn('md5hash');
+
+        $fileStruct = FileStruct::fromUploadedFile($uploadedFileMock);
+
+        $resourceStruct = new ResourceStruct(
+            $fileStruct,
+            'auto',
+            Folder::fromPath('media/document'),
+            'public',
+            $request->request->get('filename'),
+        );
+
+        $resource = new RemoteResource(
+            remoteId: 'upload|auto|media/document/unencrypted.pdf',
+            type: 'auto',
+            url: 'https://cloudinary.com/test/upload/auto/media/document/unencrypted.pdf',
+            md5: 'md5hash',
+            name: 'unencrypted.pdf',
+            folder: Folder::fromPath('media/document'),
+            size: 123,
+        );
+
+        $this->providerMock
+            ->expects(self::once())
+            ->method('upload')
+            ->with($resourceStruct)
+            ->willReturn($resource);
+
+        $this->providerMock
+            ->expects(self::exactly(0))
+            ->method('buildVariation');
+
+        $response = $this->controller->__invoke($request);
+
+        self::assertInstanceOf(JsonResponse::class, $response);
+
+        unlink($tmpPdfPath);
+    }
+
     public function testUploadProtectedWithContext(): void
     {
         $uploadContext = [