[Django] #33986: Code formatters should be looked up before template rendering in startapp/startproject

[Django]

#33986: Code formatters should be looked up before template rendering in
startapp/startproject
-------------------------------------+-------------------------------------
               Reporter:  Shai       |          Owner:  Shai Berger
  Berger                             |
                   Type:             |         Status:  assigned
  Cleanup/optimization               |
              Component:  Core       |        Version:  dev
  (Management commands)              |
               Severity:  Normal     |       Keywords:  hardening
           Triage Stage:             |      Has patch:  0
  Unreviewed                         |
    Needs documentation:  0          |    Needs tests:  0
Patch needs improvement:  0          |  Easy pickings:  0
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
 The Security Team received a report about "binary planting" in custom
 templates for the {{{startproject}}} and {{{startapp}}} commands:

 - These commands use the {{{black}}} code formatter if it is installed, so
 they look for it as an executable on the system path;
 - Under some circumstances, the template used for the new project or app
 will be rendered onto the path (e.g. on Windows the current directory is
 on the system path by default, and although this is not the default, the
 template may be rendered into the current directory);
 - In the current code, {{{black}}} is only looked up when it is time to
 run it, that is, after the template has been rendered
 - So if all the stars above align "correctly", the management command may
 execute a {{{black}}} command that is included in the template
 - Custom templates can be specified using a remote URL -- in that case,
 downloaded code would be executed immediately

 The Security Team decided that this should not be treated as a
 vulnerability, since custom templates already get very wide access via the
 Django Template Language. It still seemed worthwhile to change things so
 that the lookup should happen before the custom template can affect the
 choice of executable, and to amplify the warnings in the documentation
 that custom templates are treated as trusted code.

 Thanks Trung Pham of Viettel Cyber Security for the report

-- 
Ticket URL: <https://code.djangoproject.com/ticket/33986>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107018313cab910-16ed6dd8-6283-43b5-a7c6-f58487c9617e-000000%40eu-central-1.amazonses.com.