# Threat Model: SaaS Multi-Tenant Invoice Generator This document describes the threat model for deploying fulgur as the PDF engine in a SaaS multi-tenant invoice (document) generator. The primary use case is: **end-users design HTML templates via a WYSIWYG editor, supply JSON data per document, and the server renders PDFs in batch.** This analysis drives the design of the HTML sanitiser (fulgur-me2) and the MiniJinja sandbox (fulgur-q1z). Japanese version: [threat-model.ja.md](threat-model.ja.md) ## Architecture overview ```text End-user (browser) │ ├─ WYSIWYG editor ──► HTML template ──┐ │ ▼ └─ Form / API ──► JSON data ──► fulgur Engine ──► PDF ▲ SaaS operator (fonts, CSS, images) ``` Three distinct input channels feed the engine: | Channel | Controlled by | Trust level | |---|---|---| | HTML template | End-user (via WYSIWYG) | **Untrusted** | | JSON data | End-user (via API / form) | **Untrusted** | | Asset bundle (fonts, CSS, images) | SaaS operator | Trusted | ## Threat actors ### A1 — Malicious template author An end-user who crafts or modifies HTML templates through the WYSIWYG editor (or by intercepting the API) to: - Execute JavaScript in the rendering pipeline - Reference external resources (SSRF) - Escape the asset sandbox to read server files (path traversal) - Leak data from other tenants - Cause denial of service ### A2 — Malicious JSON data supplier An end-user who submits crafted JSON payloads to: - Inject HTML/JS via template variable expansion - Trigger excessive loop iterations or deep recursion in the template engine - Cause memory exhaustion through very large values ### A3 — Compromised SaaS operator An operator (or supply-chain attacker who compromises operator assets) who: - Injects malicious CSS or fonts into the shared asset bundle - This actor is **lower priority** because operator assets are trusted by design; defence here focuses on limiting blast radius rather than preventing access ## Vulnerability categories and mitigations ### V1 — Script injection (XSS equivalent) **Threat:** Template contains `