tghosth
commented
1 year ago Do you have examples of exploitation of latex injection?
Closed ImanSharaf closed 8 months ago
tghosth
commented
1 year ago Do you have examples of exploitation of latex injection?
ImanSharaf
commented
1 year ago @tghosth please check this
tghosth
commented
1 year ago So perhaps:
Verify that secure configuration and command allow-listing is used to prevent LaTeX injection attacks?
What do you think @ImanSharaf ?
tghosth
commented
1 year ago So perhaps:
Verify that secure configuration and command allow-listing is used to prevent LaTeX injection attacks?
What do you think @ImanSharaf ?
Any thoughts on this @ImanSharaf ?
elarlang
commented
1 year ago What "secure configuration" needs to achieve?
jmanico
commented
1 year ago From ChatGTP.
Configuration Steps to Mitigate LaTeX Injection Attacks
Input Validation and Sanitization First and foremost, you should validate and sanitize any user input that will be inserted into a LaTeX document. This is the golden rule of security: never trust user input. Use whitelisting approaches to only allow specific LaTeX commands that you know are safe.
Use Safe Packages Some LaTeX packages are designed with security in mind and can help mitigate the risk of injection attacks. For example, the safeinput package in LaTeX can help you here.
Limit Compiler Capabilities If you're running a LaTeX compiler on a server, make sure to limit its capabilities. For instance, you can disable shell escape commands using the -no-shell-escape flag when running pdflatex.
bash Copy code pdflatex -no-shell-escape myfile.tex
Use a Chroot Jail or Containers Run the LaTeX compiler in a chroot jail or a containerized environment like Docker. This will limit the damage an attacker can do even if they manage to inject malicious LaTeX code.
Filesystem Permissions Ensure that the LaTeX compiler runs with the minimum necessary permissions. It shouldn't have write access to any directories other than the one where it's generating the output PDF.
Monitor and Log Keep an eye on logs for any suspicious activity. Set up alerts for unusual compiler behavior or system calls.
Patch and Update Keep your LaTeX distribution and all packages up to date. Security is a moving target, and staying updated is crucial.
Code Reviews and Static Analysis Regularly review the code that handles LaTeX document generation. Use static analysis tools that can identify potential security issues in the code.
User Education Last but not least, educate the users who are allowed to insert LaTeX code. Make sure they understand the risks involved and the types of LaTeX commands that are considered safe.
ImanSharaf
commented
1 year ago Verify that secure configuration and command allow-listing is used to prevent LaTeX injection attacks?
I believe, it would be prudent to consolidate all variations of Formula Injections, including CSV injection, Latex injection, and others, under a single ASVS item.
elarlang
commented
1 year ago Verify that secure configuration and command allow-listing is used to prevent LaTeX injection attacks?
I believe, it would be prudent to consolidate all variations of Formula Injections, including CSV injection, Latex injection, and others, under a single ASVS item.
We just merged CSV and Formula Injection into the repo (https://github.com/OWASP/ASVS/issues/1469 / PR https://github.com/OWASP/ASVS/pull/1709).
| # | Description | L1 | L2 | L3 | CWE |
|---|---|---|---|---|---|
| 5.3.12 | [ADDED] Verify that the application is protected against CSV and Formula Injection. The application should follow the escaping rules defined in RFC4180 2.6 and 2.7 when exporting CSV files. The application should escape special characters including '=', '+', '-', '@' '\t' (tab) and '\00' (null character) using a single quote, if they are the first character in a field, when exporting CSV files and other spreadsheet formats such as xls, xlsx, odf. | ✓ | ✓ | ✓ | 1236 |
ImanSharaf
commented
1 year ago @elarlang can we mention Latex injection there too?
elarlang
commented
1 year ago Added 5.3.12 is already quite long and really specific to formula injection, I don't think adding additionally Latex injection there would be good idea.
Also, I would like to know, is there any stats how much latex is used in applications? I have not seen any in practice.
tghosth
commented
1 year ago Verify that LaTeX processors are configured securely (such as not using the "--shell-escape" flag) and command allow-listing is used to prevent LaTeX injection attacks.
@elarlang I agree this should be separate. I have added more specifics on secure configuration based on @jmanico's content.
@ImanSharaf what do you think about the update?
tghosth
commented
8 months ago PR #1842, I made it L2 as it seems a little niche
As it stands, the current active issue only covers CSV injection, but it is important to also consider other types of injection attacks, such as those targeting LaTeX and Doc files.
Formula Injection is a type of attack that occurs when an application allows the input of mathematical expressions or formulas that are then interpreted by the application. An attacker can use this input to inject malicious code or conduct attacks such as cross-site scripting (XSS), SQL injection, or command injection. This vulnerability can be particularly dangerous in applications that perform complex mathematical operations.