Skip to content

Security: mroughan/PaperFetch.jl

Security

SECURITY.md

Security Policy

PaperFetch.jl is a bibliography checking and PDF-fetching tool. It deliberately avoids direct handling of library usernames and passwords.

Credential Model

Recommended credential-assisted workflow:

  1. Log into your library or proxy in your own browser.
  2. Run PaperFetch.jl on your own computer.
  3. Pass either an institutional proxy URL template or a local exported cookie file when you explicitly choose fetch mode.
  4. Delete temporary cookie files when you are finished.

The optional cookie-file mode treats cookies as bearer tokens. Anyone with that file may temporarily inherit your web session.

What Not To Share

Do not commit, upload, email, or paste:

  • browser cookies or exported cookies.txt files;
  • passwords, session tokens, API keys, or proxy URLs containing secrets;
  • private bibliographies;
  • downloaded PDFs that you are not entitled to redistribute;
  • API caches if they contain private URLs, request metadata, or unpublished bibliography information;
  • reports that include proxied URLs or other sensitive local paths.

Generated outputs such as .paperfetch_cache/, paperfetch_out/, downloads/, and docs/build/ are ignored by git and should usually stay local.

Full-Text PDF Verification

check --use-apis normally only queries metadata APIs; it does not download files. The one exception is full-text PDF verification: when no metadata provider can confirm an entry, but a PDF candidate URL is known, check downloads that one PDF (anonymously, with no cookies or proxy credentials) and runs it through pdftotext, and optionally pdftoppm/tesseract for a scanned PDF, entirely on your own machine. No content is sent anywhere except the download itself.

This means check can, by default when --use-apis is set, fetch and locally parse a file from a URL taken from the bibliography, using third-party open-source tools (poppler, tesseract) that PaperFetch.jl does not audit. Parsing any untrusted file with any tool carries some inherent risk. Pass --no-verify-pdf-text (or verify_pdf_text=false in the Julia API) to disable this if you are checking a bibliography from an untrusted source, or prefer not to download files during check at all.

Responsible Use

Use a real contact email for public scholarly APIs. Keep batches small, respect rate limits, and check library, publisher, and repository terms before downloading PDFs.

PaperFetch.jl can help identify open-access PDFs and validate references, but it does not grant access rights. Retrieve only material you are entitled to access.

Reporting Security Issues

If you find a security issue, please contact the maintainer privately rather than opening a public issue with exploit details. A public issue is fine for ordinary bugs that do not expose credentials, private URLs, or private documents.

There aren't any published security advisories