If I allow users to upload PDF documents (and only PDFs) is there any way a malicious user could include some executable script within or attached to the doc? What about standard word documents? What are some best practices if this is a requirement? (sorry that's totally 3 questions I know - but they all apply! ;))
I am using thoughtbot's paperclip plugin and I believe you can restrict by file type.
Whether or not something is "executable" matters less than whether or not you try to execute it. A file is just a sequence of bytes. Code is only dangerous if it's actually executed - the mere act of transferring a file, as long as the destination of that file is safe, is not something that can really cause harm. What could cause harm is if you are somehow invoking the uploaded file as a command, or passing it through some form of rendering engine that would accept directives from the file to execute actions.
Who are you trying to protect?
If it's yourself - you'll be fine, as per Dav's answer. The danger comes from trying to execute or open code on the server. So unless your server automates opening the file in Adobe you're cool.
If it's you're users then you're in trouble. Adobe Acrobat is a hive of 0-day pdf exploits (as explained in the comments on Dav's answer). Most to All can be mitigated by using an alternate pdf viewer like Foxit but you can't control that. If you wanted to protect your users from PDF exploits and Word Macros you've got a serious challenge. Virus Scanners can detect Word macros; but not Adobe exploits (not all of them anyway).