Merge pull request #8681 from sagemathinc/fix-sagetex-clean-8680

haraldschilly · web-flow · commit 2ae60e4cbebd · 2025-12-18T14:04:23.000+01:00
frontend/latex: fix sagetex vs. clean issue
diff --git a/src/packages/frontend/frame-editors/latex-editor/actions.ts b/src/packages/frontend/frame-editors/latex-editor/actions.ts
@@ -50,6 +50,7 @@ import { once } from "@cocalc/util/async-utils";
 import { ExecOutput } from "@cocalc/util/db-schema/projects";
 import {
   change_filename_extension,
+  is_bad_latex_filename,
   path_split,
   separate_file_extension,
   sha1,
@@ -238,9 +239,10 @@ export class Actions extends BaseActions<LatexEditorState> {
 
   private init_bad_filename(): void {
     // #3230 two or more spaces
+    // Shell injection prevention: single quotes break bash string interpolation
     // note: if there are additional reasons why a filename is bad, add it to the
     // alert msg in run_build.
-    this.bad_filename = /\s\s+/.test(this.path);
+    this.bad_filename = is_bad_latex_filename(this.path);
   }
 
   private init_ext_filename(): void {
@@ -878,7 +880,7 @@ export class Actions extends BaseActions<LatexEditorState> {
 
     if (this.bad_filename) {
       const err = `ERROR: It is not possible to compile this LaTeX file with the name '${this.path}'.
-        Please modify the filename, such that it does **not** contain two or more consecutive spaces.`;
+        Please modify the filename, such that it does **not** contain two or more consecutive spaces or single quotes (').`;
       this.set_error(err);
       return;
     }
diff --git a/src/packages/frontend/frame-editors/latex-editor/sagetex.ts b/src/packages/frontend/frame-editors/latex-editor/sagetex.ts
@@ -1,5 +1,5 @@
 /*
- *  This file is part of CoCalc: Copyright © 2020 Sagemath, Inc.
+ *  This file is part of CoCalc: Copyright © 2020-2025 Sagemath, Inc.
  *  License: MS-RSL – see LICENSE.md for details
  */
 
@@ -33,18 +33,26 @@ export async function sagetex_hash(
   const { base, directory } = parse_path(path); // base, directory, filename
   const s = sagetex_file(base);
   status(`sha1sum ${s}`);
+
+  // Check if file exists and compute hash only if it does; otherwise return unique value
   const output = await exec(
     {
       timeout: 10,
-      command: "sha1sum",
-      args: [s],
+      command: `test -f '${s}' && sha1sum '${s}' || true`,
+      bash: true,
       project_id: project_id,
       path: output_directory || directory,
-      err_on_exit: true,
+      err_on_exit: false,
       aggregate: time,
     },
     path,
   );
+
+  // If file doesn't exist, return unique timestamp-based value to ensure rebuild
+  if (!output.stdout.trim()) {
+    return `missing-${Date.now()}`;
+  }
+
   return output.stdout.split(" ")[0];
 }
 
diff --git a/src/packages/util/misc.test.ts b/src/packages/util/misc.test.ts
@@ -160,6 +160,24 @@ test("EDITOR_PREFIX", () => {
   expect(misc.EDITOR_PREFIX).toBe("editor-");
 });
 
+describe("is_bad_latex_filename", () => {
+  test("allows filenames without double spaces or quotes", () => {
+    expect(misc.is_bad_latex_filename("paper.tex")).toBe(false);
+    expect(misc.is_bad_latex_filename("my paper.tex")).toBe(false);
+    expect(misc.is_bad_latex_filename("folder/subfolder/file.tex")).toBe(false);
+  });
+
+  test("rejects filenames with double spaces", () => {
+    expect(misc.is_bad_latex_filename("my  paper.tex")).toBe(true);
+    expect(misc.is_bad_latex_filename("folder/bad  name/file.tex")).toBe(true);
+  });
+
+  test("rejects filenames with single quotes", () => {
+    expect(misc.is_bad_latex_filename("author's-notes.tex")).toBe(true);
+    expect(misc.is_bad_latex_filename("folder/author's-notes.tex")).toBe(true);
+  });
+});
+
 describe("test code for displaying numbers as currency with 2 or sometimes 3 decimals of precision", () => {
   const { currency } = misc;
   it("displays 1.23", () => {
diff --git a/src/packages/util/misc.ts b/src/packages/util/misc.ts
@@ -160,6 +160,14 @@ export function change_filename_extension(
   return `${name}.${new_ext}`;
 }
 
+// Check if a filename contains characters that are problematic for LaTeX compilation.
+// Returns true if the filename contains:
+// - Two or more consecutive spaces (breaks LaTeX processing, see #3230)
+// - Single quotes (breaks bash string interpolation in build commands)
+export function is_bad_latex_filename(path: string): boolean {
+  return /\s\s+|'/.test(path);
+}
+
 // Takes parts to a path and intelligently merges them on '/'.
 // Continuous non-'/' portions of each part will have at most
 // one '/' on either side.
