Going to some of my old code and asking Bob to check for vulnerabilities!
Introduction
We’ve all been there. A little red light pops up on the dashboard, and instead of pulling over, we perform the ancient ritual of “The Great Ignore.” We tell ourselves it’s probably just a sensitive sensor or that the car feels fine, so it must be fine. We do the same thing with our digital infrastructure: we see a CVE notification, shrug, and decide that today isn’t the day to deal with a “theoretical” exploit.
But here’s the cold, hard reality: in the world of cybersecurity, that “Check Engine” light isn’t a glitch — it’s the sound of a digital crowbar prying at your front door.
While it’s easy to joke about the absurdity of a refrigerator getting hacked or a smart-toaster joining a botnet, the punchline stops being funny when it’s your customer data, your intellectual property, or your entire company’s reputation on the line. Security isn’t just a checkbox for the compliance department or a “nice-to-have” for when the budget allows; it’s the foundation that keeps the whole house from sliding down the hill.
In this post, I’m going to stop the nervous laughter and look at why treating vulnerabilities like minor inconveniences is the fastest way to become a cautionary tale. It’s time to take security seriously — before a hacker does it for you.
After the introduction, going to some of my old codes, I checked on an old code which I use by the way (locally) to merge my PDF files instead of going to a web site where I’m not quite sure about the privacy matters (by the way the code(s) are in an old blog post). So I asked Bob to to a security/vulnerability check. I got upset by myself from Bob findings 💀💀💀 😂.
As a refresher, I post again the shortest code which does not have a GUI (the Streamlit version is in the post)👇
# pdf_merger_2.py
import os
from PyPDF2 import PdfMerger, PdfReader
def merge_pdfs_in_directory(input_folder, output_folder, output_filename="merged_output.pdf"):
"""
Recursively finds all PDF files in the input_folder and merges them
into a single PDF file in the output_folder.
Args:
input_folder (str): The path to the folder containing PDF files.
output_folder (str): The path to the folder where the merged PDF will be saved.
output_filename (str): The name of the merged PDF file.
"""
if not os.path.exists(input_folder):
print(f"Error: Input folder '{input_folder}' does not exist.")
return
# --- This is the part that creates the output directory if it doesn't exist ---
if not os.path.exists(output_folder):
os.makedirs(output_folder)
print(f"Created output folder: '{output_folder}'")
# -----------------------------------------------------------------------------
merger = PdfMerger()
pdf_files_found = []
# Walk through the input folder recursively
for root, _, files in os.walk(input_folder):
for file in files:
if file.lower().endswith('.pdf'):
filepath = os.path.join(root, file)
pdf_files_found.append(filepath)
if not pdf_files_found:
print(f"No PDF files found in '{input_folder}' and its subdirectories.")
return
# Sort the files for consistent merging order (optional, but good practice)
pdf_files_found.sort()
print(f"Found {len(pdf_files_found)} PDF files to merge:")
for pdf_file in pdf_files_found:
print(f"- {pdf_file}")
try:
with open(pdf_file, 'rb') as f:
merger.append(PdfReader(f))
except Exception as e:
print(f"Error appending {pdf_file}: {e}")
output_filepath = os.path.join(output_folder, output_filename)
try:
with open(output_filepath, 'wb') as output_file:
merger.write(output_file)
print(f"\nSuccessfully merged PDF files to: '{output_filepath}'")
except Exception as e:
print(f"Error writing merged file: {e}")
finally:
merger.close()
if __name__ == "__main__":
script_dir = os.path.dirname(os.path.abspath(__file__))
input_folder_name = "input"
output_folder_name = "output"
# Construct full paths
input_path = os.path.join(script_dir, input_folder_name)
output_path = os.path.join(script_dir, output_folder_name)
# Example Usage:
# 1. Create an 'input' folder in the same directory as this script.
# 2. Place some PDF files (and even subfolders with PDFs) inside the 'input' folder.
# 3. Run this script.
# The merged PDF will be created in the 'output' folder.
merge_pdfs_in_directory(input_path, output_path, "all_merged_documents.pdf")
Bob’s anlysis was astonishing… 🫣
Lessons Learned and Conclusion
The security analysis of these two PDF merger applications serves as a stark reminder of how easily vulnerabilities can hide in even the most “straightforward” scripts. As we’ve seen, ignoring simple or complex security pitfalls — from uncontrolled resource consumption to path traversal — can transform a helpful tool into a significant liability.
While one might not “bother much” with extensive hardening for a quick local script, the standard changes entirely in a real-world software delivery environment. In professional production, these pitfalls must be double-checked with extreme rigor. Utilizing specialized tools like IBM Bob SDLC for security scanning and lifecycle management is an essential strategy for identifying these risks early; it ensures that even those who aren’t career developers can maintain a professional security posture and prevent their software from becoming a cautionary tale.
>>> Thanks for Reading <<<
Links
- PDF Mergin Code Blog Post: https://dev.to/aairom/pdf-power-up-merge-reorder-and-decrypt-pdfs-with-a-local-python-app-jdh
- IBM Bob: https://bob.ibm.com/
Top comments (0)