Merge pull request ansible#4434 from ryanpetrello/jinja-injector-sand…

…box-validation prevent unsafe jinja from being saved in the first place for cred types
ryanpetrello · Jul 7, 2020 · bc14e99 · bc14e99
2 parents f943277 + 61d3a76
commit bc14e99
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/awx/main/fields.py b/awx/main/fields.py
@@ -7,8 +7,8 @@
 import re
 import urllib.parse
 
-from jinja2 import Environment, StrictUndefined
-from jinja2.exceptions import UndefinedError, TemplateSyntaxError
+from jinja2 import sandbox, StrictUndefined
+from jinja2.exceptions import UndefinedError, TemplateSyntaxError, SecurityError
 
 # Django
 from django.contrib.postgres.fields import JSONField as upstream_JSONBField
@@ -932,7 +932,7 @@ def __str__(self):
                     self.validate_env_var_allowed(key)
             for key, tmpl in injector.items():
                 try:
-                    Environment(
+                    sandbox.ImmutableSandboxedEnvironment(
                         undefined=StrictUndefined
                     ).from_string(tmpl).render(valid_namespace)
                 except UndefinedError as e:
@@ -942,6 +942,10 @@ def __str__(self):
                         code='invalid',
                         params={'value': value},
                     )
+                except SecurityError as e:
+                    raise django_exceptions.ValidationError(
+                        _('Encountered unsafe code execution: {}').format(e)
+                    )
                 except TemplateSyntaxError as e:
                     raise django_exceptions.ValidationError(
                         _('Syntax error rendering template for {sub_key} inside of {type} ({error_msg})').format(