π‘οΈ Sentinel: [HIGH] Fix PDF Compilation Command Injection and Resource Exhaustion Risks#389
Conversation
Enforces -no-shell-escape on pdflatex and pandoc commands to prevent RCE and adds process timeouts to prevent DoS via resource exhaustion. Also suppresses a false positive XSS warning in the markupsafe HTML context. Co-authored-by: anchapin <6326294+anchapin@users.noreply.github.com>
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
Reviewer's GuideAdds security hardening to LaTeX-based PDF generation by enforcing no-shell-escape flags, introducing 30-second timeouts with explicit subprocess cleanup for pdflatex and pandoc invocations, documenting the vulnerability in Sentinel notes, and suppressing a Bandit false positive for safe LaTeX escaping code. Sequence diagram for secured PDF compilation subprocess handlingsequenceDiagram
participant CoverLetterGenerator
participant pdflatex_process
CoverLetterGenerator->>pdflatex_process: subprocess.Popen(pdflatex_args)
CoverLetterGenerator->>pdflatex_process: process.communicate(timeout=30)
alt subprocess.TimeoutExpired
CoverLetterGenerator->>pdflatex_process: process.kill()
CoverLetterGenerator->>pdflatex_process: process.communicate()
CoverLetterGenerator-->>CoverLetterGenerator: pdf_created False / return False
else completed
pdflatex_process-->>CoverLetterGenerator: stdout, stderr
CoverLetterGenerator-->>CoverLetterGenerator: check returncode or output_path.exists()
end
Note over CoverLetterGenerator,pdflatex_process: pdflatex_args include -interaction=nonstopmode and -no-shell-escape
Flow diagram for hardened PDF compilation with pdflatex fallback to pandocflowchart TD
A[Start _compile_pdf or _compile_pdflatex] --> B[Run pdflatex with -no-shell-escape]
B --> C{TimeoutExpired?}
C -->|Yes| D[process.kill and communicate / return False or pdf_created False]
C -->|No| E{pdflatex success or output_path.exists}
E -->|Yes| F[Return True or pdf_created True]
E -->|No| G[Try pandoc fallback]
G --> H[Run pandoc with --pdf-engine-opt=-no-shell-escape]
H --> I{TimeoutExpired?}
I -->|Yes| J[process.kill and communicate / return False or pdf_created False]
I -->|No| K{pandoc success or output_path.exists}
K -->|Yes| F
K -->|No| L[Return False or pdf_created False]
File-Level Changes
Possibly linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- The timeout handling logic for LaTeX compilation is duplicated across multiple call sites; consider extracting a shared helper (e.g.,
run_with_timeout(cmd, cwd, timeout=30)) that encapsulatesPopen,communicate, timeout cleanup, and return-code handling to reduce repetition and risk of divergence. - In
_compile_pdfincover_letter_generator.py, when aTimeoutExpiredoccurs you setpdf_created = Falsebut still fall through to theif process.returncode == 0 or output_path.exists()check; returning immediately (or skipping that block) after the timeout would make the control flow clearer and avoid relying onprocess.returncodeafter a forced kill. - The hard-coded
timeout=30appears in several places; consider making this a configurable constant (e.g.,LATEX_COMPILE_TIMEOUT_SECONDS) so it can be tuned centrally and referenced consistently across all compilation paths.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The timeout handling logic for LaTeX compilation is duplicated across multiple call sites; consider extracting a shared helper (e.g., `run_with_timeout(cmd, cwd, timeout=30)`) that encapsulates `Popen`, `communicate`, timeout cleanup, and return-code handling to reduce repetition and risk of divergence.
- In `_compile_pdf` in `cover_letter_generator.py`, when a `TimeoutExpired` occurs you set `pdf_created = False` but still fall through to the `if process.returncode == 0 or output_path.exists()` check; returning immediately (or skipping that block) after the timeout would make the control flow clearer and avoid relying on `process.returncode` after a forced kill.
- The hard-coded `timeout=30` appears in several places; consider making this a configurable constant (e.g., `LATEX_COMPILE_TIMEOUT_SECONDS`) so it can be tuned centrally and referenced consistently across all compilation paths.Help me be more useful! Please click π or π on each comment and I'll use the feedback to improve your reviews.
Enforces -no-shell-escape on pdflatex and pandoc commands to prevent RCE and adds process timeouts to prevent DoS via resource exhaustion. Also suppresses a false positive XSS warning in the markupsafe HTML context. Includes black formatting fixes to pass CI checks. Co-authored-by: anchapin <6326294+anchapin@users.noreply.github.com>
π¨ Severity: HIGH
π‘ Vulnerability: Unrestricted LaTeX compilation allowing potential command execution (RCE) and lacking timeouts, causing possible resource exhaustion (DoS).
π― Impact: Attackers could execute arbitrary commands or cause denial of service.
π§ Fix: Enforced -no-shell-escape on LaTeX compilers and added 30-second timeouts with cleanup. Suppressed false-positive Bandit B704 for LaTeX contexts.
β Verification: Verified timeouts and restricted execution flags via automated tests (test_pdf_security.py).
PR created automatically by Jules for task 1897174070991137640 started by @anchapin
Summary by Sourcery
Harden PDF generation against command injection and resource exhaustion when compiling LaTeX to PDF.
Bug Fixes:
Enhancements: