Validate PDF files with dangerous content

ProcessMaker/Http/Controllers/Api/ProcessRequestFileController.php

@@ -290,6 +290,12 @@ public function store(Request $laravel_request, FileReceiver $receiver, ProcessR
      */
     private function saveUploadedFile(UploadedFile $file, ProcessRequest $processRequest, Request $laravelRequest)
     {
+        $errors = [];
+        $this->validateFile($file, $errors);
+        if (count($errors) > 0) {
+            return abort(response($errors , 422));
+        }
+
         $parentId = $processRequest->parent_request_id;
         $parentRequest = $processRequest;
 
@@ -411,4 +417,29 @@ public function destroy(Request $laravel_request, ProcessRequest $request, $file
 
         return response([], 204);
     }
+
+    private function validateFile(UploadedFile $file, &$errors)
+    {
+        if (strtolower($file->getClientOriginalExtension() === 'pdf')) {
+             $this->validatePDFFile($file, $errors);
+        }
+
+        return $errors;
+    }
+
+    private function validatePDFFile(UploadedFile $file, &$errors)
+    {
+        $text = $file->get();
+
+        $jsKeywords = ['/JavaScript', '/JS', '<< /S /JavaScript'];
+
+        foreach ($jsKeywords as $keyword) {
+            if (strpos($text, $keyword) !== false) {
+                $errors[] = __('Dangerous PDF file content.');
+                break;
+            }
+        }
+
+        return $errors;
+    }
 }