Add PlantUML Security Profile by Default

[mfhepp]

It would be very good to run PlantUML in a mode with minimal access privileges, in order to contain any potential security issues.

Luckily, PlantUML provides readily available means for this, as documented here.

Basically, it should be sufficient for PlantUML to have access to the input file to convert and the path to which it should write the result of the conversion.

This can be achieved as follows:

java -DPLANTUML_SECURITY_PROFILE=ALLOWLIST  -D<list_of_paths>  ...

The list of paths need to be combined using the ; (on Windows) or : (Linux/OSX) separator, like so

java -DPLANTUML_SECURITY_PROFILE=ALLOWLIST  -Dplantuml.allowlist.path=/usr/common/:/usr/plantuml/  ...

I assume that the JRE needs access to only

• the folder than contains the PlantUML .jar file,
• the folder with the current document or a temporary file from the figure source code,
• the target folder (plots/).

I have not yet tested this on my machine, and the details may need to be fine-tuned, but my main point is that it should be made the default behavior. Otherwise, any vulnerability in PlantUML puts the entire Pandoc machine at risk.

[mfhepp]

Cross-referencing #50

[mfhepp]

Addition: It may also need to access the Graphviz/Dot engine binary.

[mfhepp]

@LaurentRDC Could you maybe provide an example of the complete command that pandoc-plot is executing when calling PlantUML? This would ease my work on this a lot. Thanks!

[LaurentRDC]

Hi there,

The complete command which is run is equivalent to the following shell command:

$executable $cmdargs -t$format -output "$outputPath" "$inputPath"

With the default configuration, the command might look like:

javaj -jar plantuml.jar -tpng -output "out.png" "diagram.uml"

Would it be a good starting point to modify the configuration to match the command you want?

Ultimately, we could also have the configuration contain the command template string, so that users can customize the command. However, I don't have time these days to look at this

[mgajda]

Would putting input and output files on allowlist suffice?
I understand this is too much: java -DPLANTUML_SECURITY_PROFILE=INTERNET -jar /path/to/plantuml.jar ...