grobidOrg / grobid / 28229525583

push

github

Security advisories (#1477)

* fix: address command injection via crafted PDF file names

Command injection (GHSA-mgxf-7mg7-qpmf): the non-server pdfalto path
interpolated the PDF file path into a `bash -c` string, so a filename
containing a single quote plus shell syntax could inject commands. The
already-tokenized command is now passed to bash as positional parameters
and exec'd via "$@", so file names are never re-parsed by the shell.
Added DocumentSourceTest covering quoted/metacharacter filenames.

* fix: stop thread leak in /api/modelTraining

Thread leak (GHSA-g2r5-4c8r-c84f): /api/modelTraining created a
FixedThreadPool per request and never shut it down, permanently leaking
one JVM thread per call. The executor is now shut down after submit.

* feat: limit to one training per model, reject any new request to train

Only one training per model can run at a time: a second request for a
model whose training is still in progress is rejected with 409 Conflict.
Flavor variants (e.g. header vs header-light) are distinct models and do
not block each other. The per-request executor is shut down after submit
so the worker thread terminates once the training task completes.

- bonus: update coveralls badge 

---------

Signed-off-by: Luca Foppiano <luca@foppiano.org>

8671 of 24964 branches covered (34.73%)

Branch coverage included in aggregate %.

18467 of 45293 relevant lines covered (40.77%)

1.65 hits per line