From fc12891256a8192a70766449473b19fd2724a8d5 Mon Sep 17 00:00:00 2001 From: Xavier Hardy Date: Mon, 10 Apr 2017 15:36:23 +0200 Subject: [PATCH] Use Jinja2 sandbox environment Jinja2 non-sandbox environment is unsafe as it gives access to unsafe Python methods Change-Id: If8a96bb92f64c4226a3d02e3cf6e0dcb0e9156fd Closes-Bug: #1680112 --- mistral/expressions/jinja_expression.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mistral/expressions/jinja_expression.py b/mistral/expressions/jinja_expression.py index e17ee1eb3..116e2c213 100644 --- a/mistral/expressions/jinja_expression.py +++ b/mistral/expressions/jinja_expression.py @@ -16,6 +16,7 @@ import re import jinja2 from jinja2 import parser as jinja_parse +from jinja2.sandbox import SandboxedEnvironment from oslo_log import log as logging import six @@ -29,7 +30,7 @@ LOG = logging.getLogger(__name__) JINJA_REGEXP = '({{(.*)}})' JINJA_BLOCK_REGEXP = '({%(.*)%})' -_environment = jinja2.Environment( +_environment = SandboxedEnvironment( undefined=jinja2.StrictUndefined, trim_blocks=True, lstrip_blocks=True