Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jinja2 2.10 security vulnerability reported by GitHub #1780

Closed
SueChaplain opened this issue Apr 15, 2019 · 4 comments · Fixed by #1940
Closed

Jinja2 2.10 security vulnerability reported by GitHub #1780

SueChaplain opened this issue Apr 15, 2019 · 4 comments · Fixed by #1940
Milestone

Comments

@SueChaplain
Copy link

@SueChaplain SueChaplain commented Apr 15, 2019

Hi

I just got an alert on my github repo (where we use mkdocs to build our doc) for Jinja2 2.10:

Recommendation is to move to 2.10.1.

Are there any known issues with moving to this level? Are there any plans to update the Mkdocs dependency list to this level?

Thanks!

@waylan
Copy link
Member

@waylan waylan commented Apr 15, 2019

This is the first I've heard of it and your link appears to be broken. Could you provide a copy of the alert in a comment here?

@waylan
Copy link
Member

@waylan waylan commented Apr 15, 2019

With a quick search, I found this report:

An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI.

Note that as MkDocs is a Static Site Generator, there is no template rendering server-side and there should be no way for an attacker to use this exploit with MkDocs. Additionally, we don't specify a specific required version of Jinja2. You are free to update your local copy of Jinja2 to a patched version without issue. That said, we should update our minimum version from 2.7.1 to a patched version of Jinja2. It appears that version 2.10.1 was released 9 days ago to address this issue specifically.

@SueChaplain thanks for the report.

@SueChaplain
Copy link
Author

@SueChaplain SueChaplain commented Apr 15, 2019

This is the first I've heard of it and your link appears to be broken. Could you provide a copy of the alert in a comment here?

Of course - the report generated by GitHub is private. Sorry!

The CVE is actually this one: https://nvd.nist.gov/vuln/detail/CVE-2019-10906

In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

Not sure whether this would be an exposure in MkDocs or not?

As both issues are patched in 2.10.1, this seems like the appropriate course of action. Thanks for picking this up so quickly.

@waylan
Copy link
Member

@waylan waylan commented Apr 15, 2019

Thanks for the update @SueChaplain. The analysis is exactly the same: not a problem for a static site generator, but update your local version of Jinja2 is you are concerned.

@waylan waylan added this to the 1.1 milestone Nov 26, 2019
waylan added a commit to waylan/mkdocs that referenced this issue Dec 20, 2019
Jinja 2.10.1 patched a security valnerability. See the release notes here:
https://github.com/pallets/jinja/blob/master/CHANGES.rst#version-2101

Closes mkdocs#1780.
waylan added a commit to waylan/mkdocs that referenced this issue Dec 20, 2019
Jinja 2.10.1 patched a security valnerability. See the release notes here:
https://github.com/pallets/jinja/blob/master/CHANGES.rst#version-2101

Closes mkdocs#1780.
waylan added a commit that referenced this issue Dec 20, 2019
Jinja 2.10.1 patched a security valnerability. See the release notes here:
https://github.com/pallets/jinja/blob/master/CHANGES.rst#version-2101

Closes #1780.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants