feat(canary): honeydoc_docx + honeydoc_pdf generators
honeydoc previously emitted HTML only — operators picking 'Document' out of the dropdown got a .html file dropped at /Documents/ quarterly_report.docx, which any attacker would clock the moment they ran 'file' on it. Two new generators that emit the real artifact format: - honeydoc_docx: stdlib zipfile only. Builds a minimal but valid Office Open XML zip with the same Q3 review body as the HTML flavor and an external-image relationship pointing at the callback URL — same trick the operator-upload DOCX instrumenter uses, fetched on document open by Word and LibreOffice. Reuses _drawing() and _next_rid() from instrumenters/docx.py to keep the body/relationships shape identical between synthesised and instrumented files. - honeydoc_pdf: pikepdf-backed. One-page PDF in the 14 base fonts (Helvetica, no font embedding), realistic body, /OpenAction /URI on the catalog so most viewers fire the callback on document open. Falls back to a clear error if pikepdf is missing so the operator can switch to honeydoc / honeydoc_docx. Default placement paths now reflect each generator's true extension (.html / .docx / .pdf) so the UI suggests something sensible. Both generators surfaced in the New Token modal's generator dropdown.
This commit is contained in:
@@ -20,7 +20,8 @@ interface BlobRow {
|
||||
}
|
||||
|
||||
const KNOWN_GENERATORS = [
|
||||
'git_config', 'env_file', 'ssh_key', 'aws_creds', 'honeydoc',
|
||||
'git_config', 'env_file', 'ssh_key', 'aws_creds',
|
||||
'honeydoc', 'honeydoc_docx', 'honeydoc_pdf',
|
||||
] as const;
|
||||
type GeneratorName = typeof KNOWN_GENERATORS[number];
|
||||
|
||||
|
||||
Reference in New Issue
Block a user