mfhepp
commented
1 year ago Cross-referencing #50
Open mfhepp opened 1 year ago
mfhepp
commented
1 year ago Cross-referencing #50
mfhepp
commented
1 year ago Addition: It may also need to access the Graphviz/Dot engine binary.
mfhepp
commented
1 year ago @LaurentRDC Could you maybe provide an example of the complete command that pandoc-plot is executing when calling PlantUML? This would ease my work on this a lot. Thanks!
LaurentRDC
commented
1 year ago Hi there,
The complete command which is run is equivalent to the following shell command:
$executable $cmdargs -t$format -output "$outputPath" "$inputPath"With the default configuration, the command might look like:
javaj -jar plantuml.jar -tpng -output "out.png" "diagram.uml"Would it be a good starting point to modify the configuration to match the command you want?
Ultimately, we could also have the configuration contain the command template string, so that users can customize the command. However, I don't have time these days to look at this
mgajda
It would be very good to run PlantUML in a mode with minimal access privileges, in order to contain any potential security issues.
Luckily, PlantUML provides readily available means for this, as documented here.
Basically, it should be sufficient for PlantUML to have access to the input file to convert and the path to which it should write the result of the conversion.
This can be achieved as follows:
The list of paths need to be combined using the
;(on Windows) or:(Linux/OSX) separator, like soI assume that the JRE needs access to only
.jarfile,plots/).I have not yet tested this on my machine, and the details may need to be fine-tuned, but my main point is that it should be made the default behavior. Otherwise, any vulnerability in PlantUML puts the entire Pandoc machine at risk.