Typst’s security model (no arbitrary file access, no arbitrary network requests, no execution of OS commands, plugins only as sandboxed WASM) is somewhat unique and probably an important feature of Typst. However, currently the documentation does not have a dedicated page highlighting this (and guaranteeing it for the future). Instead this information is only available in the individual documentation pages, e.g. the one on plugins or the project root.
I think it would be useful if there was a dedicated page on Typst’s “Security Model” (or however you want to call it) which mentions the general position (see also this old comment by Laurenz Mädje), and then refers to the individual points how this is achieved. For detailed information it could then link to the dedicated documentation pages.
For completeness it might be worth mentioning that for some use cases this can be limiting but there are sometimes workarounds, such as compiling external tools to WASM (or checking if a package has done it already; or if a package exists which offers the same functionality), using external tools to create data such as JSON and then loading it in Typst (and referring to the respective docs page).
What do you think?
Or did you, the Typst maintainers, not want to make any guarantees about this yet, while nonetheless trying to make Typst as secure as possible.
Note that there are some aspects which might not follow that security model, see for example Compiler and HTML security.
To avoid any misunderstanding; I am specifically talking about the security properties of the Typst language / compiler, not about any legal documentation (which would go into the Privacy Policy or Terms and Conditions documentation).
My point is that Typst is designed so that you can compile a project even if you don’t trust it 100% (e.g. a Typst template not published to the Universe yet), and that due to Typst’s security model it won’t run arbitrary OS commands and install malware on your device.
That is potentially different from other typesetting applications[1], and also different from other scripting languages.
There is a lot of software which is not “security software” but ideally still should consider security as a high goal, e.g. a PDF viewer not executing arbitrary JavaScript or OS commands, a word processing program not executing macros by default, …
I had already linked to Laurenz’ comment on that exact discussion in my post…
That post seems to be mostly about GitHub, and partially about the Typst web app, but focuses on the Privacy Policy / Terms and Conditions, not on the properties of the Typst language or compiler.
I am not very familiar with LaTeX, but it seems it provides a similar security model / security guarantees as Typst. Though it is a bit more lenient? It allows writing files in the current working directory, and through opt-in -shell-escape allows executing OS commands. ↩︎
It should either be a SECURITY.md file, a documentation entry or on the homepage. I don’t recommend using the .github variant, as this is just obfuscating things for no reason (and makes it a hassle, in the scenario that Typst Gmbh decides to move to other hosts).
I’d say the documentation would be the best spot, since it’s a collection of all features of Typst. Though the structure of the documentation might need to be redone (I love Quarto’s structure, as it gives a great overview of everything Guide – Quarto).
@Maxwell I don’t know how typst handles images, except that it reencodes some images into png or jpeg format. And of course, if you download something from the internet, there is always the chance of getting a virus or something ;)
Typst simply limits itself, so it can’t be abused through malicious injection during rendering.
I can see having something in the docs. I’m not quite sure where to put it though. Might fit into a CLI section that doesn’t exist yet, but will at some point.