|
| 1 | +# Contributing to malicious-pdf |
| 2 | + |
| 3 | +Thanks for your interest in improving this project. This document describes how |
| 4 | +to report issues, propose changes, and add new test cases. |
| 5 | + |
| 6 | +## Reporting bugs and requesting enhancements |
| 7 | + |
| 8 | +- File non-security issues at https://github.com/jonaslejon/malicious-pdf/issues. |
| 9 | +- Search existing issues first to avoid duplicates. |
| 10 | +- Include: command run, expected vs. actual output, Python version, OS, and the |
| 11 | + PDF viewer / processor under test if relevant. |
| 12 | +- Bug reports and enhancement requests are accepted in **English**. |
| 13 | +- Maintainers aim to acknowledge new reports within 14 days. |
| 14 | + |
| 15 | +## Reporting security vulnerabilities |
| 16 | + |
| 17 | +Do **not** open a public issue for security vulnerabilities. Follow the private |
| 18 | +disclosure process documented in [`SECURITY.md`](SECURITY.md). The maintainer |
| 19 | +aims for an initial response within 14 days. |
| 20 | + |
| 21 | +## Pull requests |
| 22 | + |
| 23 | +1. Fork the repo and branch from `main`. |
| 24 | +2. Keep changes focused — one technique or fix per PR. |
| 25 | +3. Follow the project conventions documented in [`CLAUDE.md`](CLAUDE.md), |
| 26 | + especially the rules around test numbering, the `pdf_generators` dict, and |
| 27 | + post-processing (credit + obfuscation). |
| 28 | +4. Update `README.md` (test matrix and file count) and `CHANGELOG.md` when |
| 29 | + user-visible behavior changes. |
| 30 | +5. Confirm the smoke test passes locally: |
| 31 | + ```bash |
| 32 | + python3 malicious-pdf.py https://example.com |
| 33 | + ls output/ | wc -l # should match the documented test count |
| 34 | + ``` |
| 35 | +6. Open a PR describing **what** changed and **why**, and link any relevant |
| 36 | + CVE, advisory, or research blog post. |
| 37 | + |
| 38 | +## Adding a new test case |
| 39 | + |
| 40 | +Before writing code, verify the technique is not already covered (action type, |
| 41 | +JS API, trigger mechanism, transport — see `CLAUDE.md` for the full checklist). |
| 42 | +Each PDF must exercise exactly one unique technique. |
| 43 | + |
| 44 | +Then: |
| 45 | + |
| 46 | +1. Add `def create_malpdfN(filename, host)` before `main()`. |
| 47 | +2. Register it in the `pdf_generators` dict in `main()`. |
| 48 | +3. Update the `README.md` test matrix and the documented file count. |
| 49 | +4. Add a short entry under `## [Unreleased]` in `CHANGELOG.md`. |
| 50 | + |
| 51 | +## Testing policy |
| 52 | + |
| 53 | +- Every PR that adds or changes a generator must keep the smoke test green |
| 54 | + (CI runs `python3 malicious-pdf.py https://example.com` on every push and |
| 55 | + asserts the expected number of `.pdf` files is produced). |
| 56 | +- New generators should be exercised at all supported obfuscation levels |
| 57 | + (`--obfuscate 0` through `--obfuscate 4`) before merging when feasible. |
| 58 | +- Manual viewer testing (Acrobat / PDF.js / Chrome PDFium) is encouraged for |
| 59 | + any change that affects an existing validated payload — note results in the |
| 60 | + PR description. |
| 61 | + |
| 62 | +## Code style |
| 63 | + |
| 64 | +- Pure Python 3, no external PDF libraries — PDFs are constructed as raw |
| 65 | + strings/bytes (see `CLAUDE.md`). |
| 66 | +- Match the existing style of nearby code; no large reformatting in functional |
| 67 | + PRs. |
| 68 | +- Keep generator functions self-contained; do not apply credit or obfuscation |
| 69 | + inside generators (those are post-processing steps). |
| 70 | + |
| 71 | +## License |
| 72 | + |
| 73 | +By submitting a contribution you agree that it will be released under the |
| 74 | +project's [MIT License](LICENSE). |
0 commit comments