Link

Security Considerations

In terms of security, JPedal can be separated into three distinct areas:

  1. How JPedal is developed and tested
  2. PDF Processing (Java)
  3. Document Handling

How IDRsolutions develops and ensures its code is safe

General coding principles

All code is written in-house by IDRsolutions full-time staff and stored on our private repositories. Every code change is peer-reviewed by at least two other developers. Every code change is also tested for performance, regression, security and code security using SonarQube and a barrage of unit tests.

AI usage

We regard AI as a useful tool that can help our developers to write better code (similar to how we might also use Stack Overflow, AI code hints, etc). Just like how we would not simply copy and paste code we found on a website, every piece of code in our codebase is developed by us, reviewed by us, and, most importantly, is fully understood by us.

Handling of vulnerabilities

Our strategy is to

  • Produce a patched version ASAP
  • Notify all customers privately and advise them to update to latest version
  • Publicly acknowledge and confirm fixed in next general release (having confirmed all our customers do not have issues with this). This happened with a potential XXE vulnerability with our JPedal product in 2018 see release note.

Running JPedal

JPedal is a Java application, and all processing occurs within the Java Virtual Machine (JVM). Besides Java, there are no other system dependencies required.

JPedal does not use any third-party libraries within the server code, preventing exposure to third-party vulnerabilities.

The JPedal Viewer makes optional use of the third-party FlatLAF library for the GUI.

JPedal does not make any network calls apart from the trial, which tracks trial usage.

Document Handling

JPedal handles documents in various different ways and the security concerns will change depending on the use case.

General concerns

PDF files may contain arbitrary JavaScript, which JPedal will never execute.

PDF files may contain arbitrary embedded files, which JPedal will never execute. JPedal includes the ability to extract these files, so care should be taken when handling them.

JPedal also provides options to sanitize PDF files using the PdfManipulator class.

PDF files could act maliciously by requiring an excessive amount of system resources to be processed. This threat can be mitigated by setting memory limits and utilising a maximum conversion duration.

Client specific usage

The only concerns for the JPedal Viewer are the potential risk of bad PDF files trying to use hyperlinks for phishing attacks, or from saving and opening malicious file attachments.

Server specific usage

If you are running JPedal on your server to convert PDF files to images, extract content, or manipulate PDF files, there should be no additional concerns, and you can have confidence in its security.

Vulnerabilities

In the event of a security vulnerability being discovered in JPedal we would aim to notify customers privately and provide opportunity for remediation before disclosing the vulnerability publicly.

If you discover a vulnerability in our software then you can disclose this to us by contacting us.

More resources

Discord icon

Developer Discord

Connect with our developers on Discord to ask technical questions and get answers quickly.
video call icon

Zoom Call

Schedule a call to find out more about JPedal and discuss how it can help with your project.
ticket icon

Create Ticket

Submit a bug report or open a ticket to ask a question.
question icon

JPedal Licensing

Find out more about JPedal licensing options and start a free trial today.

Why JPedal?

  • Actively developed commercial library with full support and no third party dependencies.
  • Process PDF files up to 3x faster than alternative Java PDF libraries.
  • Simple licensing options and source code access for OEM users.

Learn more about JPedal

Start Your Free Trial


Already have a JPedal license?

Customer Downloads

Select Download
Don't have a license yet?