mirror of
https://github.com/ansible/awx.git
synced 2024-10-30 22:21:13 +03:00
prevent unsafe jinja from being saved in the first place for cred types
see: https://github.com/ansible/tower-security/issues/21
This commit is contained in:
parent
2bdd83e029
commit
1cf2f009ed
@ -7,8 +7,8 @@ import json
|
|||||||
import re
|
import re
|
||||||
import urllib.parse
|
import urllib.parse
|
||||||
|
|
||||||
from jinja2 import Environment, StrictUndefined
|
from jinja2 import sandbox, StrictUndefined
|
||||||
from jinja2.exceptions import UndefinedError, TemplateSyntaxError
|
from jinja2.exceptions import UndefinedError, TemplateSyntaxError, SecurityError
|
||||||
|
|
||||||
# Django
|
# Django
|
||||||
from django.contrib.postgres.fields import JSONField as upstream_JSONBField
|
from django.contrib.postgres.fields import JSONField as upstream_JSONBField
|
||||||
@ -940,7 +940,7 @@ class CredentialTypeInjectorField(JSONSchemaField):
|
|||||||
self.validate_env_var_allowed(key)
|
self.validate_env_var_allowed(key)
|
||||||
for key, tmpl in injector.items():
|
for key, tmpl in injector.items():
|
||||||
try:
|
try:
|
||||||
Environment(
|
sandbox.ImmutableSandboxedEnvironment(
|
||||||
undefined=StrictUndefined
|
undefined=StrictUndefined
|
||||||
).from_string(tmpl).render(valid_namespace)
|
).from_string(tmpl).render(valid_namespace)
|
||||||
except UndefinedError as e:
|
except UndefinedError as e:
|
||||||
@ -950,6 +950,10 @@ class CredentialTypeInjectorField(JSONSchemaField):
|
|||||||
code='invalid',
|
code='invalid',
|
||||||
params={'value': value},
|
params={'value': value},
|
||||||
)
|
)
|
||||||
|
except SecurityError as e:
|
||||||
|
raise django_exceptions.ValidationError(
|
||||||
|
_('Encountered unsafe code execution: {}').format(e)
|
||||||
|
)
|
||||||
except TemplateSyntaxError as e:
|
except TemplateSyntaxError as e:
|
||||||
raise django_exceptions.ValidationError(
|
raise django_exceptions.ValidationError(
|
||||||
_('Syntax error rendering template for {sub_key} inside of {type} ({error_msg})').format(
|
_('Syntax error rendering template for {sub_key} inside of {type} ({error_msg})').format(
|
||||||
|
Loading…
Reference in New Issue
Block a user