Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix LaTeX RCE and DoS vulnerabilities#393

Open
anchapin wants to merge 2 commits into
mainfrom
sentinel/latex-rce-dos-fix-8216287924626519256
Open

πŸ›‘οΈ Sentinel: [CRITICAL] Fix LaTeX RCE and DoS vulnerabilities#393
anchapin wants to merge 2 commits into
mainfrom
sentinel/latex-rce-dos-fix-8216287924626519256

Conversation

@anchapin

@anchapin anchapin commented Jul 5, 2026

Copy link
Copy Markdown
Owner

🚨 Severity: CRITICAL
πŸ’‘ Vulnerability: Missing -no-shell-escape and timeout in PDF compilation
🎯 Impact: Remote Code Execution (RCE) via LaTeX injections and Denial of Service (DoS) via compilation hangs
πŸ”§ Fix: Added -no-shell-escape, --pdf-engine-opt=-no-shell-escape, and timeout=30 to pdflatex and pandoc subprocess calls. Properly handle subprocess.TimeoutExpired
βœ… Verification: Run python -m pytest tests/test_pdf_security.py and full test suite


PR created automatically by Jules for task 8216287924626519256 started by @anchapin

Summary by Sourcery

Harden LaTeX-based PDF generation against RCE and DoS by enforcing secure subprocess flags and timeouts across converters and cover letter generation.

Bug Fixes:

  • Prevent remote code execution by adding -no-shell-escape to pdflatex and --pdf-engine-opt=-no-shell-escape to pandoc-based PDF compilation paths.
  • Mitigate denial-of-service hangs during PDF compilation by enforcing a 30-second timeout and handling subprocess.TimeoutExpired in LaTeX and Pandoc subprocess calls.

Enhancements:

  • Extend PDF security test coverage to validate secure arguments, timeout behavior, and fallback logic in PDFConverter and CoverLetterGenerator.
  • Document the new LaTeX subprocess security requirements and learnings in the Sentinel security log.

* Added `-no-shell-escape` flag to pdflatex subprocess calls.
* Added `--pdf-engine-opt=-no-shell-escape` flag to pandoc subprocess calls.
* Added 30-second timeouts to mitigate DoS via compilation hangs.
* Properly kill and clean up zombie processes on TimeoutExpired.
* Added comprehensive tests in `tests/test_pdf_security.py` to verify flags and timeout behavior.

Co-authored-by: anchapin <6326294+anchapin@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

πŸ‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a πŸ‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@sourcery-ai

sourcery-ai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Reviewer's Guide

This PR hardens LaTeX-based PDF generation against RCE and DoS by adding no-shell-escape flags and strict timeouts to pdflatex/pandoc subprocess calls, and introduces tests to verify secure behavior and document the sentinel finding.

Sequence diagram for secured LaTeX PDF compilation with timeout and no shell escape

sequenceDiagram
    actor User
    participant CoverLetterGenerator
    participant PdflatexProcess

    User->>CoverLetterGenerator: generate_cover_letter()
    CoverLetterGenerator->>CoverLetterGenerator: _compile_pdf(output_path, tex_content)
    CoverLetterGenerator->>PdflatexProcess: subprocess.Popen(["pdflatex", "-interaction=nonstopmode", "-no-shell-escape", tex_path.name])
    CoverLetterGenerator->>PdflatexProcess: communicate(timeout=30)

    alt subprocess.TimeoutExpired
        CoverLetterGenerator->>PdflatexProcess: kill()
        CoverLetterGenerator->>PdflatexProcess: communicate()
        CoverLetterGenerator-->>User: return False (PDF generation aborted)
    else process.returncode == 0 or output_path.exists()
        CoverLetterGenerator-->>User: return True (PDF generated securely)
    end
Loading

File-Level Changes

Change Details Files
Harden pdflatex and pandoc subprocess calls in PDFConverter and CoverLetterGenerator with no-shell-escape flags and timeouts, returning failure on compilation hangs.
  • Add -no-shell-escape to all pdflatex invocations used for PDF compilation.
  • Add --pdf-engine-opt=-no-shell-escape to pandoc invocations with xelatex as the PDF engine.
  • Wrap subprocess.communicate calls with a 30-second timeout and handle subprocess.TimeoutExpired by killing the process, calling communicate again, and returning False.
  • Preserve existing success checks based on process return code or output file existence while integrating timeout handling.
cli/pdf/converter.py
cli/generators/cover_letter_generator.py
Extend test coverage to assert secure invocation parameters and timeout handling for LaTeX/PDF compilation paths.
  • Introduce MockConfig helper and import PDFConverter and CoverLetterGenerator into the test module.
  • Add tests for PDFConverter pdflatex and pandoc compilation that verify no-shell-escape arguments, timeout usage, process.kill calls, and False return on timeout.
  • Add tests for CoverLetterGenerator LaTeX and pandoc compilation (including pandoc fallback when pdflatex is missing) verifying secure flags, timeout handling, and failure behavior.
  • Use unittest.mock.patch and side_effects on subprocess.Popen.communicate to simulate TimeoutExpired and normal completion flows.
tests/test_pdf_security.py
Update sentinel documentation with a new security incident entry describing the LaTeX subprocess execution vulnerability and its mitigation.
  • Document the missing no-shell-escape and timeout constraints as a critical LaTeX subprocess execution finding.
  • Capture the security learning around shell execution risks and DoS via compilation hangs.
  • Describe prevention guidance to always enforce no-shell-escape and strict timeouts with proper TimeoutExpired handling for LaTeX/Pandoc subprocesses.
.jules/sentinel.md

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The timeout handling logic for LaTeX/Pandoc subprocesses is duplicated in multiple methods; consider extracting a small helper to encapsulate the Popen + communicate(timeout) + TimeoutExpired/kill pattern for consistency and easier maintenance.
  • The 30-second timeout is currently hard-coded in several places; it may be worth making this configurable (e.g., via a constant or config option) so it can be tuned without code changes and kept consistent across all PDF compilation paths.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The timeout handling logic for LaTeX/Pandoc subprocesses is duplicated in multiple methods; consider extracting a small helper to encapsulate the `Popen` + `communicate(timeout)` + `TimeoutExpired`/kill pattern for consistency and easier maintenance.
- The 30-second timeout is currently hard-coded in several places; it may be worth making this configurable (e.g., via a constant or config option) so it can be tuned without code changes and kept consistent across all PDF compilation paths.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click πŸ‘ or πŸ‘Ž on each comment and I'll use the feedback to improve your reviews.

* Added `-no-shell-escape` flag to pdflatex subprocess calls.
* Added `--pdf-engine-opt=-no-shell-escape` flag to pandoc subprocess calls.
* Added 30-second timeouts to mitigate DoS via compilation hangs.
* Properly kill and clean up zombie processes on TimeoutExpired.
* Added comprehensive tests in `tests/test_pdf_security.py` to verify flags and timeout behavior.

Co-authored-by: anchapin <6326294+anchapin@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant