Understand the security considerations around CE.SDK.
As CE.SDK for the most part deals with arbitrary user input, we have to take security into account. This document gives an overview of our current security measures and provides insights into how we deal with data:
- The CreativeEngine will read files from external resources to fetch images, fonts, structured data and other sources for the design. These reads are not safeguarded beyond the platform-specific default measures
- The engine never loads executable code or tries to execute any data acquired from dynamic content. It generally relies on provided mime types to decode e.g. image data or falls back to byte-level inspection to choose the appropriate decoder
- Whenever data needs to be written, we do so by providing a callback that returns a pointer to the to-be-written data. The engine itself never unconditionally writes to an externally defined path. If it writes to files directly, these are part of internal directories and can’t be modified externally.
- Generated PDFs may have the original image files embedded, if the image was not altered via effects or blurs and the
exportPdfWithHighCompatibilityoption was not enabled. So a malicious image file could theoretically be forwarded to the exported PDF.
- Inline text-editing allows arbitrary input of strings by users. The engine does so using platform-specific default inputs and APIs and doesn’t apply any additional sanitization. The acquired strings are stored and used exclusively for text rendering. Neither executed, nor used for file operations.