diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 63f25ef12a..478156beb4 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -37,6 +37,10 @@ Changed Contributed by @khushboobhatia01 +* Move to using Jinja sandboxed environment #5359 + + Contributed by Amanda McGuinness (@amanda11 Ammeon Solutions) + Fixed ~~~~~ diff --git a/contrib/runners/orquesta_runner/in-requirements.txt b/contrib/runners/orquesta_runner/in-requirements.txt index 73fae41238..77570be456 100644 --- a/contrib/runners/orquesta_runner/in-requirements.txt +++ b/contrib/runners/orquesta_runner/in-requirements.txt @@ -1 +1 @@ -git+https://github.com/StackStorm/orquesta.git@v1.4.0#egg=orquesta +git+https://github.com/StackStorm/orquesta.git@219f00db5192321af9d29b4c51ec748846ab90c6#egg=orquesta diff --git a/contrib/runners/orquesta_runner/requirements.txt b/contrib/runners/orquesta_runner/requirements.txt index 81ece561f0..03b03964bd 100644 --- a/contrib/runners/orquesta_runner/requirements.txt +++ b/contrib/runners/orquesta_runner/requirements.txt @@ -5,4 +5,4 @@ # If you want to update depdencies for a single component, modify the # in-requirements.txt for that component and then run 'make requirements' to # update the component requirements.txt -git+https://github.com/StackStorm/orquesta.git@v1.4.0#egg=orquesta +git+https://github.com/StackStorm/orquesta.git@219f00db5192321af9d29b4c51ec748846ab90c6#egg=orquesta diff --git a/fixed-requirements.txt b/fixed-requirements.txt index 7793ccab22..2155f566fd 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -22,7 +22,8 @@ jsonschema==2.6.0 kombu==5.0.2 lockfile==0.12.2 mongoengine==0.23.0 -networkx==1.11 +#Update networkx to match orquesta +networkx>=2.5.1,<3.0 # NOTE: Recent version substantially affect the performance and add big import time overhead # See https://github.com/StackStorm/st2/issues/4160#issuecomment-394386433 for details oslo.config>=1.12.1,<1.13 diff --git a/requirements.txt b/requirements.txt index ae871d0140..0c2438e1ca 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,7 +16,7 @@ dnspython>=1.16.0,<2.0.0 eventlet==0.30.2 flex==6.14.1 git+https://github.com/StackStorm/logshipper.git@stackstorm_patched#egg=logshipper -git+https://github.com/StackStorm/orquesta.git@v1.4.0#egg=orquesta +git+https://github.com/StackStorm/orquesta.git@219f00db5192321af9d29b4c51ec748846ab90c6#egg=orquesta git+https://github.com/StackStorm/st2-auth-backend-flat-file.git@master#egg=st2-auth-backend-flat-file git+https://github.com/StackStorm/st2-auth-ldap.git@master#egg=st2-auth-ldap git+https://github.com/StackStorm/st2-rbac-backend.git@master#egg=st2-rbac-backend @@ -32,7 +32,7 @@ kombu==5.0.2 lockfile==0.12.2 mock==4.0.3 mongoengine==0.23.0 -networkx==1.11 +networkx>=2.5.1,<3.0 nose nose-parallel==0.4.0 nose-timer==1.0.1 diff --git a/st2common/in-requirements.txt b/st2common/in-requirements.txt index 0a0b01469c..e32d20a07b 100644 --- a/st2common/in-requirements.txt +++ b/st2common/in-requirements.txt @@ -10,7 +10,7 @@ jsonschema kombu mongoengine networkx -git+https://github.com/StackStorm/orquesta.git@v1.4.0#egg=orquesta +git+https://github.com/StackStorm/orquesta.git@219f00db5192321af9d29b4c51ec748846ab90c6#egg=orquesta git+https://github.com/StackStorm/st2-rbac-backend.git@master#egg=st2-rbac-backend oslo.config paramiko diff --git a/st2common/requirements.txt b/st2common/requirements.txt index 3bd47b7a24..33ea04318a 100644 --- a/st2common/requirements.txt +++ b/st2common/requirements.txt @@ -12,7 +12,7 @@ cryptography==3.4.7 dnspython>=1.16.0,<2.0.0 eventlet==0.30.2 flex==6.14.1 -git+https://github.com/StackStorm/orquesta.git@v1.4.0#egg=orquesta +git+https://github.com/StackStorm/orquesta.git@219f00db5192321af9d29b4c51ec748846ab90c6#egg=orquesta git+https://github.com/StackStorm/st2-rbac-backend.git@master#egg=st2-rbac-backend gitdb==4.0.2 gitpython==3.1.15 @@ -23,7 +23,7 @@ jsonschema==2.6.0 kombu==5.0.2 lockfile==0.12.2 mongoengine==0.23.0 -networkx==1.11 +networkx>=2.5.1,<3.0 orjson==3.5.2 oslo.config>=1.12.1,<1.13 paramiko==2.7.2 diff --git a/st2common/st2common/util/jinja.py b/st2common/st2common/util/jinja.py index 5e42725775..e86d23dd5c 100644 --- a/st2common/st2common/util/jinja.py +++ b/st2common/st2common/util/jinja.py @@ -88,9 +88,10 @@ def get_jinja_environment(allow_undefined=False, trim_blocks=True, lstrip_blocks # Late import to avoid very expensive in-direct import (~1 second) when this function # is not called / used import jinja2 + import jinja2.sandbox undefined = jinja2.Undefined if allow_undefined else jinja2.StrictUndefined - env = jinja2.Environment( # nosec + env = jinja2.sandbox.SandboxedEnvironment( # nosec undefined=undefined, trim_blocks=trim_blocks, lstrip_blocks=lstrip_blocks ) env.filters.update(get_filters()) diff --git a/st2common/st2common/util/param.py b/st2common/st2common/util/param.py index d2604d6a03..52e1f025fd 100644 --- a/st2common/st2common/util/param.py +++ b/st2common/st2common/util/param.py @@ -156,8 +156,8 @@ def _process_defaults(G, schemas): """ for schema in schemas: for name, value in six.iteritems(schema): - absent = name not in G.node - is_none = G.node.get(name, {}).get("value") is None + absent = name not in G.nodes + is_none = G.nodes.get(name, {}).get("value") is None immutable = value.get("immutable", False) if absent or is_none or immutable: _process(G, name, value.get("default")) @@ -167,8 +167,8 @@ def _validate(G): """ Validates dependency graph to ensure it has no missing or cyclic dependencies """ - for name in G.nodes(): - if "value" not in G.node[name] and "template" not in G.node[name]: + for name in G.nodes: + if "value" not in G.nodes[name] and "template" not in G.nodes[name]: msg = 'Dependency unsatisfied in variable "%s"' % name raise ParamException(msg) @@ -232,7 +232,7 @@ def _resolve_dependencies(G): """ context = {} for name in nx.topological_sort(G): - node = G.node[name] + node = G.nodes[name] try: context[name] = _render(node, context) diff --git a/tools/st2-analyze-links.py b/tools/st2-analyze-links.py index f66c158dea..cff9a263da 100644 --- a/tools/st2-analyze-links.py +++ b/tools/st2-analyze-links.py @@ -152,11 +152,11 @@ def generate_graph(self, rule_links, out_file): print(rule_link._source_action_ref) if rule_link._source_action_ref not in nodes: nodes.add(rule_link._source_action_ref) - dot.node(rule_link._source_action_ref, rule_link._source_action_ref) + dot.add_node(rule_link._source_action_ref) if rule_link._dest_action_ref not in nodes: nodes.add(rule_link._dest_action_ref) - dot.node(rule_link._dest_action_ref, rule_link._dest_action_ref) - dot.edge( + dot.add_node(rule_link._dest_action_ref) + dot.add_edge( rule_link._source_action_ref, rule_link._dest_action_ref, constraint="true", diff --git a/tools/visualize_action_chain.py b/tools/visualize_action_chain.py index c6742c460d..53a23ab51b 100755 --- a/tools/visualize_action_chain.py +++ b/tools/visualize_action_chain.py @@ -71,7 +71,7 @@ def main(metadata_path, output_path, print_source=False): # Add all nodes node = chain_holder.get_next_node() while node: - dot.node(node.name, node.name) + dot.add_node(node.name) node = chain_holder.get_next_node(curr_node_name=node.name) # Add connections @@ -89,7 +89,7 @@ def main(metadata_path, output_path, print_source=False): # Add success node (if any) if success_node: - dot.edge( + dot.add_edge( previous_node.name, success_node.name, constraint="true", @@ -102,7 +102,7 @@ def main(metadata_path, output_path, print_source=False): # Add failure node (if any) if failure_node: - dot.edge( + dot.add_edge( previous_node.name, failure_node.name, constraint="true",