summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorXavier Hardy <xavier.hardy@corp.ovh.com>2017-04-10 15:36:23 +0200
committerXavier Hardy <xavier.hardy@corp.ovh.com>2017-06-06 09:40:07 +0200
commitb09982a5b4d916a1477d49bf5905969b57c496c5 (patch)
tree9d4f0cf026bc48f493e2d816cf0d067d9b3550bb
parent53d3aed4ed20b4a65de87696fd8fcb47cd009f1e (diff)
Use Jinja2 sandbox environment
Jinja2 non-sandbox environment is unsafe as it gives access to unsafe Python methods Change-Id: If8a96bb92f64c4226a3d02e3cf6e0dcb0e9156fd Closes-Bug: #1680112 (cherry picked from commit fc12891256a8192a70766449473b19fd2724a8d5)
Notes
Notes (review): Code-Review+1: Dougal Matthews <dougal@redhat.com> Code-Review+2: Renat Akhmerov <renat.akhmerov@gmail.com> Workflow+1: Renat Akhmerov <renat.akhmerov@gmail.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Wed, 07 Jun 2017 06:33:07 +0000 Reviewed-on: https://review.openstack.org/471239 Project: openstack/mistral Branch: refs/heads/stable/ocata
-rw-r--r--mistral/expressions/jinja_expression.py3
1 files changed, 2 insertions, 1 deletions
diff --git a/mistral/expressions/jinja_expression.py b/mistral/expressions/jinja_expression.py
index 25801af..36875a7 100644
--- a/mistral/expressions/jinja_expression.py
+++ b/mistral/expressions/jinja_expression.py
@@ -16,6 +16,7 @@ import re
16 16
17import jinja2 17import jinja2
18from jinja2 import parser as jinja_parse 18from jinja2 import parser as jinja_parse
19from jinja2.sandbox import SandboxedEnvironment
19from oslo_log import log as logging 20from oslo_log import log as logging
20import six 21import six
21 22
@@ -29,7 +30,7 @@ LOG = logging.getLogger(__name__)
29JINJA_REGEXP = '({{(.*)}})' 30JINJA_REGEXP = '({{(.*)}})'
30JINJA_BLOCK_REGEXP = '({%(.*)%})' 31JINJA_BLOCK_REGEXP = '({%(.*)%})'
31 32
32_environment = jinja2.Environment( 33_environment = SandboxedEnvironment(
33 undefined=jinja2.StrictUndefined, 34 undefined=jinja2.StrictUndefined,
34 trim_blocks=True, 35 trim_blocks=True,
35 lstrip_blocks=True 36 lstrip_blocks=True