Link

Security Considerations

In terms of security, BuildVu can be separated into two distinct areas:

  1. PDF Processing (Java)
  2. Converted Documents (including hosting)

PDF Processing

BuildVu is a Java application, and all processing occurs within the Java Virtual Machine (JVM). Besides Java there are no other system dependencies required. BuildVu also does not make use of any third-party Java dependencies.

The BuildVu PDF parser does not run any arbitrary code stored within PDF files, nor does it make any network calls (except for the trial, which tracks trial usage).

The risks at conversion time primarily relate to uptime and stability. Some PDF files could act maliciously by requiring an excessive amount of system resources to be processed.

This threat can be mitigated by setting memory limits and utilising a maximum conversion duration.

Converted Documents

PDF files may contain arbitrary JavaScript, however this is not included in the output that BuildVu produces.

PDF annotations are an area that bad-actors may try to exploit. The main annotations of concern would be Link annotations, FileAttachment annotations, and the media annotation types.

Link annotations may be used by bad actors to send users to dangerous third-party websites.

FileAttachment annotations may be used to attach arbitrary files in PDF files. BuildVu does not execute file attachments, but it does include them in the output of the conversion. Care should be taken when serving converted documents to ensure the web server does not execute the attachment files. BuildVu writes out attachments without file extensions for this reason.

Media annotation types are another area where users may attach arbitrary files in PDF files. BuildVu only writes out media annotations with certain file extensions (documented here), however BuildVu will not validate the content of the media files.

In the event of a security vulnerability being discovered in BuildVu we would aim to notify customers privately and provide opportunity for remediation before disclosing the vulnerability publicly.

If you discover a vulnerability in our software then you can disclose this to us by contacting us.

More resources

Discord icon

Developer Discord

Connect with our developers on Discord to ask technical questions and get answers quickly.
video call icon

Zoom Call

Schedule a call to find out more about BuildVu and discuss how it can help with your project.
ticket icon

Create Ticket

Submit a bug report or open a ticket to ask a question.
question icon

BuildVu Licensing

Find out more about BuildVu licensing options and start a free trial today.

What's included in your BuildVu trial?

  • Access to download the SDK and run it locally.
  • Access to the cloud trial to convert documents in the IDR cloud.
  • Access to the Docker image to set up your own trial server in the cloud.
  • Communicate with IDR developers to ask questions & get expert advice.
  • Plenty of time to experiment and build a proof of concept.
  • Over 100 articles to help you get started and learn about BuildVu.
  • An exceptional PDF to HTML converter that took over 20 years to build!

Learn more about BuildVu

Start Your Free Trial

Trial License Type

Already have a BuildVu license?

Customer Downloads

Select Download

BuildVu-HTML

BuildVu-SVG

Don't have a license yet?