🛡️ Sentinel: [High] Fix RCE and DoS in PDF compilation

[anchapin]

🚨 Severity: HIGH
💡 Vulnerability: The PDFConverter and CoverLetterGenerator modules were executing pdflatex and pandoc via subprocess.Popen without enforcing the -no-shell-escape flag or timeouts on the communicate() calls.
🎯 Impact: This allowed potential Remote Code Execution (RCE) via LaTeX's \write18{...} feature and Denial of Service (DoS) via infinite compilation loops when handling untrusted user input or maliciously crafted job descriptions/templates.
🔧 Fix:

• Explicitly added -no-shell-escape (and --pdf-engine-opt=-no-shell-escape for pandoc) to all external compilation commands in cli/pdf/converter.py and cli/generators/cover_letter_generator.py.
• Added a 30-second timeout to process.communicate(), catching subprocess.TimeoutExpired to explicitly kill hanging processes and clear the I/O buffers.
• Added comprehensive unit tests mocking the subprocess timeouts and verifying the command arguments in tests/test_pdf_security.py.
  ✅ Verification: Ran the full pytest suite ensuring all tests passed, and specifically verified tests/test_pdf_security.py successfully caught the expected mock behaviors without regressions.

---

PR created automatically by Jules for task 11426473784438085786 started by @anchapin

Summary by Sourcery

Harden PDF generation against command injection and hangs by securing LaTeX/Pandoc subprocess execution and adding regression tests.

Bug Fixes:

• Prevent potential RCE by forcing pdflatex and pandoc invocations to run with shell escape disabled.
• Mitigate DoS scenarios in PDF compilation by enforcing a 30-second timeout and killing stuck subprocesses.

Documentation:

• Extend Sentinel security notes with a new entry documenting the RCE/DoS risk in subprocess-based PDF compilation and its prevention.

Tests:

• Add unit tests for PDFConverter and CoverLetterGenerator to verify no-shell-escape flags, pandoc options, and subprocess timeouts are correctly applied.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[sourcery-ai]

Reviewer's Guide

Harden PDF compilation in PDFConverter and CoverLetterGenerator against RCE and DoS by enforcing no-shell-escape flags, adding timeouts and cleanup for subprocess communication, and adding tests plus Sentinel documentation for the security fix.

Sequence diagram for secured pdflatex and pandoc compilation

sequenceDiagram
    participant Caller
    participant PDFConverter
    participant Subprocess
    participant Pdflatex
    participant Pandoc

    Caller->>PDFConverter: _compile_pdflatex(tex_path, output_path, working_dir)
    PDFConverter->>Subprocess: Popen([pdflatex,-interaction=nonstopmode,-no-shell-escape,tex_path.name],cwd=working_dir)
    Subprocess-->>Pdflatex: start process
    PDFConverter->>Subprocess: communicate(timeout=30)
    alt pdflatex_completes_in_time
        Subprocess-->>PDFConverter: stdout, stderr
        alt success_or_output_exists
            PDFConverter-->>Caller: True
        else failure_and_no_output
            PDFConverter-->>Caller: False
        end
    else pdflatex_timeout
        Subprocess-->>PDFConverter: TimeoutExpired
        PDFConverter->>Subprocess: kill()
        PDFConverter->>Subprocess: communicate()
        Subprocess-->>PDFConverter: stdout, stderr
        PDFConverter-->>Caller: False
    end

    Caller->>PDFConverter: _compile_pandoc(tex_path, output_path, working_dir)
    PDFConverter->>Subprocess: Popen([pandoc,tex_path,-o,output_path,--pdf-engine=xelatex,--pdf-engine-opt=-no-shell-escape],cwd=working_dir)
    Subprocess-->>Pandoc: start process
    PDFConverter->>Subprocess: communicate(timeout=30)
    alt pandoc_completes_in_time
        Subprocess-->>PDFConverter: stdout, stderr
        alt success_or_output_exists
            PDFConverter-->>Caller: True
        else failure_and_no_output
            PDFConverter-->>Caller: False
        end
    else pandoc_timeout
        Subprocess-->>PDFConverter: TimeoutExpired
        PDFConverter->>Subprocess: kill()
        PDFConverter->>Subprocess: communicate()
        Subprocess-->>PDFConverter: stdout, stderr
        PDFConverter-->>Caller: False
    end

Loading

Flow diagram for secured cover letter PDF compilation with fallback

flowchart TD
    Start([Start _compile_pdf])
    A[Write tex_content to temporary tex_path]
    B[Run pdflatex with -interaction=nonstopmode and -no-shell-escape]
    C{pdflatex communicate timeout?}
    D[Kill pdflatex process
and call communicate again]
    E{pdflatex succeeded
or output_path exists?}
    F[Set pdf_created to True
and return]
    G[Log failure and
attempt pandoc fallback]
    H[Run pandoc with --pdf-engine=xelatex
and --pdf-engine-opt=-no-shell-escape]
    I{pandoc communicate timeout?}
    J[Kill pandoc process
and call communicate again]
    K{pandoc succeeded
or output_path exists?}
    L[Set pdf_created to True
and return]
    M[Set pdf_created to False
and return]

    Start --> A --> B --> C
    C -- Yes --> D --> E
    C -- No --> E
    E -- Yes --> F
    E -- No --> G --> H --> I
    I -- Yes --> J --> K
    I -- No --> K
    K -- Yes --> L
    K -- No --> M

Loading

File-Level Changes

Change	Details	Files
Harden pdflatex invocation in CoverLetterGenerator against shell escape and hangs.	Add -no-shell-escape flag to pdflatex command used in _compile_pdf. Wrap process.communicate() with a 30-second timeout and handle subprocess.TimeoutExpired by killing the process and re-draining stdout/stderr. Apply the same timeout-and-kill pattern to the pandoc fallback path, ensuring hung conversions are terminated.	cli/generators/cover_letter_generator.py
Harden PDFConverter subprocess calls for pdflatex and pandoc.	Add -no-shell-escape flag to the pdflatex command in _compile_pdflatex. Extend pandoc invocation in _compile_pandoc with --pdf-engine-opt=-no-shell-escape to disable shell escapes in the LaTeX engine. Wrap both pdflatex and pandoc communicate() calls with a 30-second timeout and handle subprocess.TimeoutExpired by killing the process and then reading remaining output.	cli/pdf/converter.py
Add security-focused tests verifying arguments and timeout behavior for PDF compilation.	Import PDFConverter and CoverLetterGenerator into the PDF security test module. Mock subprocess.Popen to simulate TimeoutExpired on the first communicate() call, followed by a successful call, for converter and cover letter generator paths. Assert that communicate() is called with timeout=30, that kill() is invoked on timeout, and that the no-shell-escape-related flags plus engine names are present in the constructed commands for pdflatex and pandoc.	tests/test_pdf_security.py
Document the new subprocess-based PDF compilation vulnerability and fix in Sentinel notes.	Add a new high-severity Sentinel entry describing the RCE and DoS risks from missing -no-shell-escape flags and lack of timeouts in PDFConverter and CoverLetterGenerator. Record learnings about duplicated vulnerable patterns across modules and the need for uniform hardening of subprocess usage. Document preventive practices such as grepping for subprocess.Popen and always enforcing timeouts and explicit process cleanup.	.jules/sentinel.md

Possibly linked issues

• #Security: Address bandit high severity findings in CI: The PR directly fixes high‑severity subprocess security issues in PDF compilation that likely correspond to Bandit’s failing findings.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The timeout and -no-shell-escape handling around subprocess.Popen is now duplicated in both PDFConverter and CoverLetterGenerator; consider extracting a small shared helper (e.g., run_latex_command(...)) so the security-critical behavior is defined in one place and easier to keep consistent.
• The 30-second timeout is currently an inline literal in multiple places; introducing a single module-level constant (or configuration) for the PDF compile timeout would make it easier to tune and ensure all call sites stay aligned.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The timeout and `-no-shell-escape` handling around `subprocess.Popen` is now duplicated in both `PDFConverter` and `CoverLetterGenerator`; consider extracting a small shared helper (e.g., `run_latex_command(...)`) so the security-critical behavior is defined in one place and easier to keep consistent.
- The 30-second timeout is currently an inline literal in multiple places; introducing a single module-level constant (or configuration) for the PDF compile timeout would make it easier to tune and ensure all call sites stay aligned.

## Individual Comments

### Comment 1
<location path="tests/test_pdf_security.py" line_range="107" />
<code_context>
+        self.assertIn("--pdf-engine-opt=-no-shell-escape", command)
+        self.assertIn("pandoc", command)
+
+    @patch("subprocess.Popen")
+    def test_cover_letter_pdflatex_timeout_and_args(self, mock_popen):
+        process_mock = MagicMock()
</code_context>
<issue_to_address>
**issue (testing):** Patch target for `Popen` in `CoverLetterGenerator` tests is incorrect and may call the real subprocess implementation

Because `cover_letter_generator.py` imports `subprocess` directly, the patch must target the symbol as used in that module (e.g. `@patch("cli.generators.cover_letter_generator.subprocess.Popen")`). Using `@patch("subprocess.Popen")` won’t intercept the call inside `_compile_pdf` and can trigger the real `pdflatex` during tests. Please update the patch target accordingly.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (testing): Patch target for Popen in CoverLetterGenerator tests is incorrect and may call the real subprocess implementation

Because cover_letter_generator.py imports subprocess directly, the patch must target the symbol as used in that module (e.g. @patch("cli.generators.cover_letter_generator.subprocess.Popen")). Using @patch("subprocess.Popen") won’t intercept the call inside _compile_pdf and can trigger the real pdflatex during tests. Please update the patch target accordingly.