asf-tooling opened a new issue, #990:
URL: https://github.com/apache/tooling-trusted-releases/issues/990
**ASVS Level(s):** [L1, L2]
**Description:**
### Summary
The `render_string_sync` function accepts arbitrary strings and compiles
them as Jinja2 templates using a non-sandboxed `jinja2.Environment`. This
function is exported as a public API (`render_string`) without input
validation, sanitization, or sandboxing, creating a potential Server-Side
Template Injection (SSTI) vector if ever called with user-controlled input.
While no current code path feeds user-controlled input to this function, its
availability represents a latent Remote Code Execution (RCE) risk for future
development. The function uses a standard Jinja2 environment (not sandboxed)
which would allow full access to Python's object hierarchy, filesystem, and
system commands if user input reached it.
### Details
**Affected Files and Lines:**
- `atr/template.py:58-62` - render_string_sync without sandboxing
- `atr/template.py:86` - Public export
- `atr/template.py:44-51` - Non-sandboxed environment
The function is exported publicly without protection against SSTI, creating
a latent RCE risk.
### Recommended Remediation
**Priority 1 - Option A (Recommended):** Remove the function entirely if
unused, or make it private (`_render_string_sync`) with security warnings if
needed internally:
```python
def _render_string_sync(source: str, **context) -> str:
"""INTERNAL ONLY: Render template from string.
WARNING: Never call with user-controlled input - SSTI/RCE risk.
"""
# ... implementation
```
Remove the public export (`render_string = render_string_sync`).
**Priority 1 - Option B:** Replace `SyncEnvironment` with
`SyncSandboxedEnvironment`:
```python
from jinja2.sandbox import SandboxedEnvironment
jinja_env = SandboxedEnvironment(...)
```
**Priority 1 - Option C:** Add runtime validation to reject any source
containing Jinja2 expression syntax:
```python
if re.search(r'\{\{|\{%|\{#', source):
raise ValueError("Template syntax not allowed in render_string")
```
**Priority 2:** Add CI/lint check (pre-commit hook) to flag any new usage of
`render_string()`, `render_string_sync()`, or direct calls to
`jinja_env.from_string()`.
### Acceptance Criteria
- [ ] Function removed or made private OR
- [ ] Sandboxed environment used OR
- [ ] Template syntax validation added
- [ ] Public export removed
- [ ] CI check added
- [ ] Unit test verifying the fix
### References
- Source reports: L1:1.3.2.md, L2:1.3.7.md
- Related findings: None
- ASVS sections: 1.3.2, 1.3.7
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
