🛡️ Sentinel: [CRITICAL] Fix Remote Code Execution in PDF generation

.jules/sentinel.md

@@ -7,3 +7,7 @@
 **Vulnerability:** The `CoverLetterGenerator` used a standard Jinja2 environment (intended for HTML/XML or plain text) to render LaTeX templates. This allowed malicious user input (or AI hallucinations) containing LaTeX control characters (e.g., `\input{...}`) to be injected directly into the LaTeX source, leading to potential Local File Inclusion (LFI) or other exploits.
 **Learning:** Jinja2's default `autoescape` is context-aware based on file extensions, but usually only for HTML/XML. It does NOT automatically escape LaTeX special characters. Relying on manual filters (like `| latex_escape`) in templates is error-prone and brittle, as developers might forget to apply them to every variable.
 **Prevention:** Always use a dedicated Jinja2 environment for LaTeX generation that enforces auto-escaping via a `finalize` hook (e.g., `tex_env.finalize = latex_escape`). This ensures *all* variable output is sanitized by default, providing defense-in-depth even if the template author forgets explicit filters.
+## 2025-02-28 - [CRITICAL] Remote Code Execution via PDF Generation
+**Vulnerability:** LaTeX compilers (`pdflatex`, `xelatex`, `lualatex`) and converters like `pandoc` are vulnerable to Remote Code Execution (RCE) via malicious LaTeX input using the `\write18` command, which allows arbitrary shell commands to execute during PDF compilation. Additionally, the subprocess calls lacked proper timeouts and process cleanup, creating a Denial of Service (DoS) vector via infinite compilation loops.
+**Learning:** These vulnerabilities exist because the default behavior of these compilers in many environments historically permitted shell execution for specific external utilities, and standard subprocess usage without explicit timeouts fails to handle hanging executions common with maliciously crafted documents. We discovered the application invokes PDF compilation engines in multiple locations (`TemplateGenerator`, `resume_pdf_lib`, `PDFConverter`, `CoverLetterGenerator`) that process potentially untrusted text.
+**Prevention:** Always explicitly disable shell execution features when invoking LaTeX compilers by appending `-no-shell-escape` to `pdflatex` (and similar compilers) and `--pdf-engine-opt=-no-shell-escape` to `pandoc`. Furthermore, always set explicit subprocess timeouts (e.g., `timeout=30`) when executing external binaries and implement robust resource cleanup by intercepting `subprocess.TimeoutExpired` to explicitly execute `process.kill()` and immediately call `process.communicate()` to prevent zombie processes and double-free issues.

cli/generators/cover_letter_generator.py

@@ -771,12 +771,18 @@ def _compile_pdf(self, output_path: Path, tex_content: str) -> bool:
         try:
             # Use Popen with explicit cleanup to avoid double-free issues
             process = subprocess.Popen(
-                ["pdflatex", "-interaction=nonstopmode", tex_path.name],
+                ["pdflatex", "-interaction=nonstopmode", "-no-shell-escape", tex_path.name],
                 stdout=subprocess.PIPE,
                 stderr=subprocess.PIPE,
                 cwd=tex_path.parent,
             )
-            stdout, stderr = process.communicate()
+            try:
+                stdout, stderr = process.communicate(timeout=30)
+            except subprocess.TimeoutExpired:
+                process.kill()
+                stdout, stderr = process.communicate()
+                return False
+
             if process.returncode == 0 or output_path.exists():
                 pdf_created = True
         except (subprocess.CalledProcessError, FileNotFoundError):
@@ -787,11 +793,24 @@ def _compile_pdf(self, output_path: Path, tex_content: str) -> bool:
                 # Fallback to pandoc
                 try:
                     process = subprocess.Popen(
-                        ["pandoc", str(tex_path), "-o", str(output_path), "--pdf-engine=xelatex"],
+                        [
+                            "pandoc",
+                            str(tex_path),
+                            "-o",
+                            str(output_path),
+                            "--pdf-engine=xelatex",
+                            "--pdf-engine-opt=-no-shell-escape"
+                        ],
                         stdout=subprocess.PIPE,
                         stderr=subprocess.PIPE,
                     )
-                    stdout, stderr = process.communicate()
+                    try:
+                        stdout, stderr = process.communicate(timeout=30)
+                    except subprocess.TimeoutExpired:
+                        process.kill()
+                        stdout, stderr = process.communicate()
+                        return False
+
                     if process.returncode == 0 or output_path.exists():
                         pdf_created = True
                 except (subprocess.CalledProcessError, FileNotFoundError):

cli/pdf/converter.py

@@ -86,12 +86,17 @@ def _compile_pdflatex(
         """
         try:
             process = subprocess.Popen(
-                ["pdflatex", "-interaction=nonstopmode", tex_path.name],
+                ["pdflatex", "-interaction=nonstopmode", "-no-shell-escape", tex_path.name],
                 stdout=subprocess.PIPE,
                 stderr=subprocess.PIPE,
                 cwd=working_dir,
             )
-            stdout, stderr = process.communicate()
+            try:
+                stdout, stderr = process.communicate(timeout=30)
+            except subprocess.TimeoutExpired:
+                process.kill()
+                stdout, stderr = process.communicate()
+                return False
 
             if process.returncode == 0 or output_path.exists():
                 return True
@@ -121,12 +126,24 @@ def _compile_pandoc(
         """
         try:
             process = subprocess.Popen(
-                ["pandoc", str(tex_path), "-o", str(output_path), "--pdf-engine=xelatex"],
+                [
+                    "pandoc",
+                    str(tex_path),
+                    "-o",
+                    str(output_path),
+                    "--pdf-engine=xelatex",
+                    "--pdf-engine-opt=-no-shell-escape",
+                ],
                 stdout=subprocess.PIPE,
                 stderr=subprocess.PIPE,
                 cwd=working_dir,
             )
-            stdout, stderr = process.communicate()
+            try:
+                stdout, stderr = process.communicate(timeout=30)
+            except subprocess.TimeoutExpired:
+                process.kill()
+                stdout, stderr = process.communicate()
+                return False
 
             if process.returncode == 0 or output_path.exists():
                 return True