1
0
mirror of https://github.com/ansible/awx.git synced 2024-10-30 22:21:13 +03:00

prevent unsafe jinja from being saved in the first place for cred types

see: https://github.com/ansible/tower-security/issues/21
This commit is contained in:
Ryan Petrello 2020-07-07 10:59:14 -04:00
parent 2bdd83e029
commit 1cf2f009ed
No known key found for this signature in database
GPG Key ID: F2AA5F2122351777

View File

@ -7,8 +7,8 @@ import json
import re import re
import urllib.parse import urllib.parse
from jinja2 import Environment, StrictUndefined from jinja2 import sandbox, StrictUndefined
from jinja2.exceptions import UndefinedError, TemplateSyntaxError from jinja2.exceptions import UndefinedError, TemplateSyntaxError, SecurityError
# Django # Django
from django.contrib.postgres.fields import JSONField as upstream_JSONBField from django.contrib.postgres.fields import JSONField as upstream_JSONBField
@ -940,7 +940,7 @@ class CredentialTypeInjectorField(JSONSchemaField):
self.validate_env_var_allowed(key) self.validate_env_var_allowed(key)
for key, tmpl in injector.items(): for key, tmpl in injector.items():
try: try:
Environment( sandbox.ImmutableSandboxedEnvironment(
undefined=StrictUndefined undefined=StrictUndefined
).from_string(tmpl).render(valid_namespace) ).from_string(tmpl).render(valid_namespace)
except UndefinedError as e: except UndefinedError as e:
@ -950,6 +950,10 @@ class CredentialTypeInjectorField(JSONSchemaField):
code='invalid', code='invalid',
params={'value': value}, params={'value': value},
) )
except SecurityError as e:
raise django_exceptions.ValidationError(
_('Encountered unsafe code execution: {}').format(e)
)
except TemplateSyntaxError as e: except TemplateSyntaxError as e:
raise django_exceptions.ValidationError( raise django_exceptions.ValidationError(
_('Syntax error rendering template for {sub_key} inside of {type} ({error_msg})').format( _('Syntax error rendering template for {sub_key} inside of {type} ({error_msg})').format(