0

I'm planning to create a service that would allow users to render LaTeX documents online with TeX Live running on the server, and I would like to enable certain features (such as gnuplot) that require --shell-escape.

My question is: Is there a way to enable shell escape in a way that would be secure enough for this purpose?

And also: Are there any other security issues that I should consider when compiling untrusted LaTeX code on a server?

I see that texmf.conf has the following list:

shell_escape_commands = \
bibtex,bibtex8,\
extractbb,\
gregorio,\
kpsewhich,\
makeindex,\
repstopdf,\
r-mpost,\
texosquery-jre8,\

However, I see that gnuplot is not in the list, but I can still run gnuplot when I put \pgfkeys{/pgf/plot/gnuplot call={gnuplot}} in my source, and that seems like a security problem.

ttsc
  • 371
  • 4
    You can (as for example overleaf does, run in a docker container, which you discard afer each run so one job can not harm the next. I do not understand your gnuplot example. Using gnuplot from pgf does require --shell-escape – David Carlisle Jun 19 '22 at 11:12
  • I am using Docker containers, but somebody could still abuse the system by making repeated calls to run their own code mining bitcoin for example. However, you are making a good point in the sense that setting a time limit for each job and discarding the container afterwards would make abuse more difficult. – ttsc Jun 19 '22 at 14:57
  • Regarding gnuplot, I thought that --shell-escape should only allow command that are listed in the allowed commands list, but gnuplot is not there. – ttsc Jun 19 '22 at 14:59
  • 1
    no, the opposite. They are the commands allowed by default, that do not need shell-escape. If you use --shell-esacape you have full access to any commad you could run on the commd line. – David Carlisle Jun 19 '22 at 15:15
  • Ok. I see. So, if I would like to use gnuplot without the possibility to run any other commands, I could add gnuplot to the list and not use --shell-escape, right? – ttsc Jun 19 '22 at 16:47
  • 1
    yes, but the reason gnuplot is not there is that guplot can run system commands so if you add it you have no security. A supplied tex file can write then execute a gnuplot command that can run any command on the system. repstopdf and r-mpost in that list are carefully tested wrappers around epstopdf and metapost that prevent shell access and prevent reading files in parent directories for exactly this reason. – David Carlisle Jun 19 '22 at 17:10
  • 1
    https://sourceforge.net/p/gnuplot/bugs/726/ – David Carlisle Jun 19 '22 at 17:15
  • 1
    Somewhat special case of online - How can I safely compile other people's LaTeX documents? - TeX - LaTeX Stack Exchange – user202729 Jun 25 '22 at 07:29

0 Answers0