Commit ab17e830 authored by Igor Ponomarev's avatar Igor Ponomarev Committed by Antonio Terceiro
Browse files

lava_rest_app: use sandbox jinja2 environment for user provided template

Fix remote code execution at /api/v0.2/devices/validate/ endpoint

Jinja2 templates created from a user input are open to code
injection. By switching to sandboxed jinja2 environment only
a restricted set of function calls will be available
when rendering a template.
parent ae132dac
Pipeline #13767 passed with stages
in 19 minutes and 2 seconds
......@@ -22,7 +22,6 @@ import io
import pathlib
import voluptuous
import yaml
import jinja2
import lava_common.schemas as schemas
import lava_common.schemas.test.testdef as testdef
......@@ -30,6 +29,7 @@ from django.conf import settings
from django.db import transaction
from django.http.response import HttpResponse
from django.http import Http404
from jinja2.sandbox import SandboxedEnvironment as JinjaSandboxedEnvironment
from lava_common.version import __version__
from lava_common.compat import yaml_dump, yaml_safe_load
......@@ -515,7 +515,7 @@ class DeviceViewSet(base_views.DeviceViewSet, viewsets.ModelViewSet):
raise ValidationError({"device": "Device dictionary is required."})
try:
template = jinja2.Environment(
template = JinjaSandboxedEnvironment(
loader=File("device").loader(), autoescape=False, trim_blocks=True
).from_string(devicedict)
yaml_safe_load(template.render())
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment