Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jinja <3.1.5 security vulnerability #225

Open
DiamondJoseph opened this issue Jan 7, 2025 · 2 comments
Open

Jinja <3.1.5 security vulnerability #225

DiamondJoseph opened this issue Jan 7, 2025 · 2 comments
Labels
dependencies Pull requests that update a dependency file good first issue Good for newcomers

Comments

@DiamondJoseph
Copy link

https://github.com/DiamondLightSource/blueapi/security/dependabot/12


To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.

Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.```

Python-copier-template should update the version of Jinja, even if it appears to not be directly relevant. 
Python-copier-template should also enable security scanning of dependencies, so that issues are caught ASAP and handled in the appropriate place
@DiamondJoseph DiamondJoseph added good first issue Good for newcomers dependencies Pull requests that update a dependency file labels Jan 7, 2025
@stan-dot
Copy link
Contributor

stan-dot commented Feb 4, 2025
edited
Loading

line 94 :

Collecting jinja2>=3.1.4 (from copier->python-copier-template==2.6.1.dev6+g9c6f34d)
in the CI test job while the ctrl+f search inside the repo does not show any mention of jinja.

it is a dependency from copier

@stan-dot
Copy link
Contributor

stan-dot commented Feb 4, 2025

and the master branch of copier has 3.1.5 version of jinja

https://github.com/copier-org/copier/blob/master/pyproject.toml

however the latest release of copier that we use - 2024-10-18 has: jinja2 = ">=3.1.4"
https://github.com/copier-org/copier/releases

We might force the dependency to be higher manually or wait for copier to change.

However for the purposes of the template - we're not using it on the website but for running on local machine so this is not an issue.

An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code.

@DiamondJoseph your issue title was misleading as it contains the incorrect version number (3.15 not 3.1.5). Please change it.

@coretl can we close this issue?

@DiamondJoseph DiamondJoseph changed the title Jinja <3.15 security vulnerability Jinja <3.1.5 security vulnerability Feb 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

When branches are created from issues, their pull requests are automatically linked.

refs/heads/225-jinja-315-security-vulnerability DiamondLightSource/python-copier-template
2 participants
@DiamondJoseph @stan-dot