search

digineo / texd

texd wraps TeX in a web API
MIT License
8 stars 1 forks source link

allow --shell-escape equivalent #152

Open 3continents opened 15 hours ago

3continents commented 15 hours ago

Hi. Thanks for this product. It is truly great. It has allowed me to deploy latex generation to our internal web applications without having to download and manage a tex distribution locally on the app-server with each update.

I have, unfortunately, ran into a specific. In my latex generation, I need to download images to include them in the documents. This is helpful locally but truly required when using your docker container with is separate from the rest of the containers. To achieve this locally, I have to run lualatex using the --shell-escape directive or I get image not found errors.

I am getting this error when posting to your web interface. Would it be possible to add the --shell-escape option in the URL parameters? That would solve everything for me.

dmke commented 12 hours ago

Hi @3continents,

I'm glad you find texd useful.

Adding -shell-escape support to texd, is a bit dangerous, because it allows anyone with access to that server to run arbitrary commands. Some danger might be mitigated when running the compile process in a Docker container, but still, I wouldn't deploy this even to an internal-only system.

Do you require the lualatex compiler to fetch the images, or would it also helpful, if texd accepts URLs in addition to file attachments? Something akin to:

POST /render HTTP/1.1
Content-Type: multipart/form-data; boundary=boundary

--boundary
Content-Disposition: form-data; name=input.tex; filename=input.tex
Content-Type: application/octet-stream

[content of input.tex omitted]
--boundary
Content-Disposition: form-data; name=image.tiff; filename=image.tiff
Content-Type: application/x.texd; url=1

https://somewhere.example.com/satimg/export.tiff
--boundary--

This could instruct texd to fetch https://somewhere.example.com/satimg/export.tiff and store it as ./image.tiff in the project directory - before lualatex even starts.

(I'd prefer this approach, because then texd could also try to fetch multiple images in parallel).

3continents commented 12 hours ago

I am not really worried about the security issue -- although I understand the concern. texd is running in a sandboxed container within a private network of other containers and only the app server has access to it. The app server makes http call which I control and everything sits behind a nginx reverse proxy and a firewall where only ports 80 and 443 are open.

In any case, I can construct the request to download the images through the API if this is a preferred option for you. I appreciate your quick response and your willingness to add this functionality.

On Tue, Nov 5, 2024 at 5:08 PM Dominik Menke @.***> wrote:

Hi @3continents https://github.com/3continents,

I'm glad you find texd useful.

Adding -shell-escape support to texd, is a bit dangerous, because it allows anyone with access to that server to run arbitrary commands. Some danger might be mitigated when running the compile process in a Docker container, but still, I wouldn't deploy this even to an internal-only system.

Do you require the lualatex compiler to fetch the images, or would it also helpful, if texd accepts URLs in addition to file attachments? Something akin to:

POST /render HTTP/1.1Content-Type: multipart/form-data; boundary=boundary --boundaryContent-Disposition: form-data; name=input.tex; filename=input.texContent-Type: application/octet-stream [content of input.tex omitted]--boundaryContent-Disposition: form-data; name=image.tiff; filename=image.tiffContent-Type: application/x.texd; url=1 https://somewhere.example.com/satimg/export.tiff--boundary--

This could instruct texd to fetch https://somewhere.example.com/satimg/export.tiff and store it as ./image.tiff in the project directory - before lualatex even starts.

(I'd prefer this approach, because then texd could also try to fetch multiple images in parallel).

— Reply to this email directly, view it on GitHub https://github.com/digineo/texd/issues/152#issuecomment-2457589730, or unsubscribe https://github.com/notifications/unsubscribe-auth/BERXO2G4SYOOSYUEDBZRXBDZ7DUPHAVCNFSM6AAAAABRGSCKWCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJXGU4DSNZTGA . You are receiving this because you were mentioned.Message ID: @.***>

dmke commented 12 hours ago

I'm just worried that some users will simply ignore the red flags, enable this feature and place a server instance on the internet (and then complain about the consequences). I guess, the typical TeX user has a bit more understanding of the security implications.

I might prioritize adding a --shell-escape CLI argument to texd over a custom pipeline for fetching and storing external files (this is waaaay easier to implement).