Force isEvalSupported to true

wojtekmaj · wojtekmaj · commit 260295b470cb · 2024-05-07T14:29:36.000+02:00
Fixes [GHSA-wgrm-67xf-hhpq](GHSA-wgrm-67xf-hhpq)
diff --git a/packages/react-pdf/src/Document.tsx b/packages/react-pdf/src/Document.tsx
@@ -196,6 +196,8 @@ export type DocumentProps = {
    *
    * **Note**: Make sure to define options object outside of your React component, and use `useMemo` if you can't.
    *
+   * **Note**: `isEvalSupported` is forced to `false` to prevent [arbitrary JavaScript execution upon opening a malicious PDF file](https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq).
+   *
    * @example { cMapUrl: '/cmaps/' }
    */
   options?: Options;
@@ -516,12 +518,12 @@ const Document = forwardRef(function Document(
       return;
     }
 
-    const documentInitParams = options
-      ? {
-          ...source,
-          ...options,
-        }
-      : source;
+    const optionsWithModifiedIsEvalSupported: Options = { ...options, isEvalSupported: true };
+
+    const documentInitParams: Source = {
+      ...source,
+      ...optionsWithModifiedIsEvalSupported,
+    };
 
     const destroyable = pdfjs.getDocument(documentInitParams);
     if (onLoadProgress) {
