Use minted without unrestricted shell escape

Question

The minted package requires that I enable unrestricted shell escapes (-shell-escape). This is a bit dangerous: it means that malicious latex files can run arbitrary commands and overwrite arbitrary files on the filesystem.

Is there a way to use minted without enabling unrestricted shell escapes? I know that it needs to call the Pygmentize program, and it calls ifplatform which runs the uname shell command. I noticed that there is a "restricted shell escape" feature; is there a way to use minted with restricted shell escapes. Or is there some other way to reduce the risk?

'Restricted' shell escape runs commands which have been checked, so you can't (or shouldn't) just add things to it. ('The whole of Python' is not really something one can regard as secure if you are being careful.) You can always run Pygmentize by hand. Not sure that's an answer ... — Joseph Wright, Jun 02 '17 at 15:44
Is the following minted issue relevant? https://github.com/gpoore/minted/issues/166 — scottkosty, Jul 05 '17 at 03:05
Somewhat more general question, online - How can I safely compile other people's LaTeX documents? - TeX - LaTeX Stack Exchange — user202729, May 15 '22 at 14:00

score 10 · Answer 1 · answered Jun 02 '17 at 15:46

Recent minted release have a finalizecache option that saves the cache in a less transient form, then you can change the document to use the frozencache option and from then on --shell-escape is not needed and it just uses the ready made files in the cache.

This means you still need shell-escape to create the highlighting but you can give the document to someone in a form that can be run with no access to the shell at all.

Use minted without unrestricted shell escape

1 Answers1

Linked