1
0
mirror of https://github.com/ansible/awx.git synced 2024-10-30 22:21:13 +03:00

prevent unsafe jinja from being saved in the first place for cred types

see: https://github.com/ansible/tower-security/issues/21
This commit is contained in:
Ryan Petrello 2020-07-07 10:59:14 -04:00
parent 2bdd83e029
commit 1cf2f009ed
No known key found for this signature in database
GPG Key ID: F2AA5F2122351777

View File

@ -7,8 +7,8 @@ import json
import re
import urllib.parse
from jinja2 import Environment, StrictUndefined
from jinja2.exceptions import UndefinedError, TemplateSyntaxError
from jinja2 import sandbox, StrictUndefined
from jinja2.exceptions import UndefinedError, TemplateSyntaxError, SecurityError
# Django
from django.contrib.postgres.fields import JSONField as upstream_JSONBField
@ -940,7 +940,7 @@ class CredentialTypeInjectorField(JSONSchemaField):
self.validate_env_var_allowed(key)
for key, tmpl in injector.items():
try:
Environment(
sandbox.ImmutableSandboxedEnvironment(
undefined=StrictUndefined
).from_string(tmpl).render(valid_namespace)
except UndefinedError as e:
@ -950,6 +950,10 @@ class CredentialTypeInjectorField(JSONSchemaField):
code='invalid',
params={'value': value},
)
except SecurityError as e:
raise django_exceptions.ValidationError(
_('Encountered unsafe code execution: {}').format(e)
)
except TemplateSyntaxError as e:
raise django_exceptions.ValidationError(
_('Syntax error rendering template for {sub_key} inside of {type} ({error_msg})').format(