When I paste a link in Google Docs, the UI tells me that it's preserving the link I pasted. Now, if it converted http://example.com to a google redirect link in the doc, then I probably would not be surprised to see it show up the same way in my export.
It is not. There is no sense at all: you could use manually crafted HTML page with malicious links, there is no benefit in using Google Docs export for this.
The benefit is as OP said: it bypasses corporate firewalls because it's a google doc.
Although I can only reproduce this redirect page in a published doc page[0], not in a pdf export (unless there's another way to download pdf via url trickery)
> edit: you can reuse the URL to download the export. tested on another network. it expires fairly quickly though, within a couple minutes it seems.
(thanks for the test)
So it's clearly not a possible real vector, and actually they thought about it being a possible vector, otherwise they would not have put the expiration.
That's for sure, but what attack vectors do you imagine? If the bad actor, for example, is the owner of the document it can easily put a link to a malware that Google will not detect.
Oh, you're right! And by that logic, Hacker News is a malware vector, too, with all these random links hanging around. Maybe we should petition the moderators to integrate Google's tracking links here as well!
