From 61d3a765eea93964d2992acb656c18309213e1ca Mon Sep 17 00:00:00 2001 From: Ryan Petrello Date: Tue, 7 Jul 2020 10:59:14 -0400 Subject: [PATCH] prevent unsafe jinja from being saved in the first place for cred types see: https://github.com/ansible/tower-security/issues/21 --- awx/main/fields.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/awx/main/fields.py b/awx/main/fields.py index 4e854bbb8b02..57d2d9e505b9 100644 --- a/awx/main/fields.py +++ b/awx/main/fields.py @@ -7,8 +7,8 @@ import re import urllib.parse -from jinja2 import Environment, StrictUndefined -from jinja2.exceptions import UndefinedError, TemplateSyntaxError +from jinja2 import sandbox, StrictUndefined +from jinja2.exceptions import UndefinedError, TemplateSyntaxError, SecurityError # Django from django.contrib.postgres.fields import JSONField as upstream_JSONBField @@ -932,7 +932,7 @@ def __str__(self): self.validate_env_var_allowed(key) for key, tmpl in injector.items(): try: - Environment( + sandbox.ImmutableSandboxedEnvironment( undefined=StrictUndefined ).from_string(tmpl).render(valid_namespace) except UndefinedError as e: @@ -942,6 +942,10 @@ def __str__(self): code='invalid', params={'value': value}, ) + except SecurityError as e: + raise django_exceptions.ValidationError( + _('Encountered unsafe code execution: {}').format(e) + ) except TemplateSyntaxError as e: raise django_exceptions.ValidationError( _('Syntax error rendering template for {sub_key} inside of {type} ({error_msg})').format(