🛡️ Sentinel: [CRITICAL] Fix RCE and DoS in scattered LaTeX Compilations by anchapin · Pull Request #360 · anchapin/resume-cli

anchapin · 2026-06-15T08:16:17Z

🚨 Severity: CRITICAL
💡 Vulnerability: Scattered pdflatex and pandoc compilations (cli/pdf/converter.py, cli/generators/cover_letter_generator.py) lacked -no-shell-escape flags and explicit timeouts.
🎯 Impact: Allowed untrusted input with LaTeX control characters to execute commands on the machine (RCE), or lock up the application due to infinite compilation loops (DoS / zombie processes).
🔧 Fix: Enforced -no-shell-escape directly to pdflatex commands and via --pdf-engine-opt=-no-shell-escape to pandoc commands. Added 30-second timeouts (timeout=30) utilizing Python's subprocess.TimeoutExpired handling with kill() and a secondary communicate() cleanup.
✅ Verification: Tests in tests/test_pdf_security.py and the main pytest suite were passed successfully, proving fixes function without regressions. Updated .jules/sentinel.md appropriately with learning.

PR created automatically by Jules for task 15799039605999439386 started by @anchapin

Added strict security parameters (`-no-shell-escape` flags and 30-second timeouts) to instances in `cli/pdf/converter.py` and `cli/generators/cover_letter_generator.py` that execute `pdflatex` or `pandoc` compilations as subprocesses to prevent RCE and zombie processes. Co-authored-by: anchapin <6326294+anchapin@users.noreply.github.com>

google-labs-jules · 2026-06-15T08:16:18Z

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

sourcery-ai

Sorry @anchapin, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

…ns and apply proper code formatting Added strict security parameters (`-no-shell-escape` flags and 30-second timeouts) to instances in `cli/pdf/converter.py` and `cli/generators/cover_letter_generator.py` that execute `pdflatex` or `pandoc` compilations as subprocesses to prevent RCE and zombie processes. Also fixed black code formatting issues causing CI failures. Co-authored-by: anchapin <6326294+anchapin@users.noreply.github.com>

sourcery-ai Bot reviewed Jun 15, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🛡️ Sentinel: [CRITICAL] Fix RCE and DoS in scattered LaTeX Compilations#360

🛡️ Sentinel: [CRITICAL] Fix RCE and DoS in scattered LaTeX Compilations#360
anchapin wants to merge 2 commits into
mainfrom
sentinel-pdf-rce-fix-15799039605999439386

anchapin commented Jun 15, 2026

Uh oh!

google-labs-jules Bot commented Jun 15, 2026

Uh oh!

sourcery-ai Bot left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

anchapin commented Jun 15, 2026

Uh oh!

google-labs-jules Bot commented Jun 15, 2026

Uh oh!

sourcery-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant