[Tex/LaTex] Use minted without unrestricted shell escape

mintedshell-escape

The minted package requires that I enable unrestricted shell escapes (-shell-escape). This is a bit dangerous: it means that malicious latex files can run arbitrary commands and overwrite arbitrary files on the filesystem.

Is there a way to use minted without enabling unrestricted shell escapes? I know that it needs to call the Pygmentize program, and it calls ifplatform which runs the uname shell command. I noticed that there is a "restricted shell escape" feature; is there a way to use minted with restricted shell escapes. Or is there some other way to reduce the risk?

Best Answer

Recent minted release have a finalizecache option that saves the cache in a less transient form, then you can change the document to use the frozencache option and from then on --shell-escape is not needed and it just uses the ready made files in the cache.

This means you still need shell-escape to create the highlighting but you can give the document to someone in a form that can be run with no access to the shell at all.

Related Solutions

[Tex/LaTex] How to determine what items to add to the “restricted-shell-escape” safe list

I would avoid modifying the list of programs allowed to run in the restricted shell. These are either programs that don't write out any output (and when output redirection is requested they don't work in the restricted shell escape setting) or respect the openout_any setting in texmf.cnf.

As far as the present problem is concerned, running pdflatex with shell escape enabled on the file filename.tex consists in using the command line

pdflatex -shell-escape filename

(no quotes).

How to setup a front-end to run this command depends on the front-end itself. With TeXShop, for example, one can define a new engine. In your ~/Library/TeXShop/Engines folder duplicate XeLaTeX.engine and call it pdflatexshell.engine. Modify the file (with TeXShop itself) to read

#!/bin/tcsh

set path= (/usr/texbin /usr/local/bin $path)
pdflatex -shell-escape "$1"

and, for a file you want to compile with unrestricted shell escape, write at its beginning

% !TEX TS-program = pdflatexshell

so that the engine will be automatically selected on opening.

What to do with other front-ends or LyX will vary.

If you really want to use the restricted shell escape, you have to enable

uname
rm
echo
latex

The program list can be determined by searching for runsystem in the .log file.

[Tex/LaTex] Is Arara safe/secure

_{I think my answer will be totally biased, but here it goes. :)}

It's quite subjective for me to afirm that arara is safe or secure. It's just a program with a specific purpose, just like most of the tools available out there. Maybe the best answer I can come up with is: it depends.

arara per se simply expands directives into commands through rules that specify the way this expansion shoud happen. Commands are then delegated to the underlying operating system.

The program requires a valid directive (mapped to a rule) in order to run, otherwise the process stops.

Uh-oh, I could not find the 'foo' rule in the search path. Could
you take a look if the rule name is correct and if the rule is
accessible through the search path?

If there are no directives, arara will also complain.

I didn't find any directives in 'test.tex', and so didn't do
anything. Is that what you really wanted?

If we run arara with the --log option enabled, we can have a list of directives found in the .tex file.

21 Mar 2013 07:32:10.630 INFO  Arara - Welcome to arara!
21 Mar 2013 07:32:10.634 INFO  Arara - Processing file 'folheto.tex', please wait.
21 Mar 2013 07:32:10.635 INFO  DirectiveExtractor - Reading directives from folheto.tex.
21 Mar 2013 07:32:10.649 TRACE DirectiveExtractor - Directive found in line 1 with pdflatex.
21 Mar 2013 07:32:10.650 TRACE DirectiveExtractor - Directive found in line 2 with clean: { files: [ folheto.aux, folheto.log, folheto.sxc, folheto.synctex.gz ] }.
...

Heiko suggested a --dry-run option to arara, which consists of simulating the execution without actually running the commands. Hopefully it will be available in the upcoming version.

After getting the directives, arara will look for rules.

...
21 Mar 2013 07:32:10.799 INFO  TaskDeployer - Deploying tasks into commands.
21 Mar 2013 07:32:10.799 TRACE TaskDeployer - Task 'pdflatex' found in '/usr/local/texlive/2012/texmf-dist/scripts/arara/rules'.
21 Mar 2013 07:32:11.010 TRACE TaskDeployer - Task 'clean' found in '/usr/local/texlive/2012/texmf-dist/scripts/arara/rules'.
21 Mar 2013 07:32:11.083 TRACE TaskDeployer - Task 'clean' found in '/usr/local/texlive/2012/texmf-dist/scripts/arara/rules'.
21 Mar 2013 07:32:11.099 TRACE TaskDeployer - Task 'clean' found in '/usr/local/texlive/2012/texmf-dist/scripts/arara/rules'.
21 Mar 2013 07:32:11.104 TRACE TaskDeployer - Task 'clean' found in '/usr/local/texlive/2012/texmf-dist/scripts/arara/rules'.
...

arara shows the full path for the rule according to the directive. Then the commands will be executed.

...
21 Mar 2013 07:32:11.108 INFO  CommandTrigger - Ready to run commands.
21 Mar 2013 07:32:11.108 INFO  CommandTrigger - Running 'PDFLaTeX'.
21 Mar 2013 07:32:11.108 TRACE CommandTrigger - Command: pdflatex "folheto.tex"
...

Back to the question. Is it possible to run malicious code through arara? Yes. Is this a problem? No. :) After all, we can get, say, a Perl program and deliberately inject code into its execution. Or write a .tex file with malicious Lua code inside it. Or have a naughty Makefile that runs rm -rf / in our system.

I think the security issues are valid. Let's see an example, the clean rule.

!config
# Clean rule for arara
# author: Paulo Cereda
# requires arara 3.0+
identifier: clean
name: CleaningTool
command: <arara> @{remove}
arguments:
- identifier: remove
  default: <arara> @{isFalse(file == getOriginalFile(), isWindows("cmd /c del", "rm -f").concat(' "').concat(file).concat('"'))}

Using this directive

% arara: clean: { files: [ foo.aux, foo.log ] }

will make arara remove two files, foo.aux and foo.log. There's an important check which prevents arara from removing the main .tex file if no files directive argument is provided. Say,

% arara: clean

does nothing.

Let's say we will replace the default instruction by

default: <arara> @{isWindows("cmd /c del", "rm -f").concat(' "').concat(file).concat('"')}

If we try

% arara: clean

the main .tex file (possibly foo.tex) will be gone! Neat isn't it? :)

Of course, we are talking about a faulty rule.

arara has the following workflow:

Read all directives.
Find their corresponding rules.
Expand directives into commands.
Run all commands.

That's the basic idea behind the program.

It might be worth mentioning that the program makes use of a library to execute these external commands which doesn't allow subshell calls.

Anyway, I really don't know what else to say. :) We are all vulnerable to malicious packages, but that's a risk we need to take. Thankfully, source code has to be available in order to hit CTAN (not entirely true, but true for packages), so we can always check entries for suspicious elements.

As I said, LuaTeX for example allows I/O from Lua, which can also be dangerous. We are exposed to some level of threat at some time, it depends our use. :)

And running arara (or any program) in a server without a sandbox... ouch. :)

Best Answer

Related Solutions

[Tex/LaTex] How to determine what items to add to the “restricted-shell-escape” safe list

[Tex/LaTex] Is Arara safe/secure

Related Question