Skip to content

Commit 8a865fb

Browse files
committed
Run Jinja2 code in sandboxed environment
Also warn user in the documentation about security risks when using code from others.
1 parent 0d714d1 commit 8a865fb

File tree

2 files changed

+9
-2
lines changed

2 files changed

+9
-2
lines changed

Diff for: docs/templating/index.md

+6
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,12 @@
33
Peering Manager comes with a built-in templating feature. This feature can be
44
used to generate configuration for routers as well as e-mails.
55

6+
!!! warning
7+
Even though Peering Manager uses a sandboxed environment to run Jinja2
8+
logic, the language is powerful enough to do things that can potentially
9+
leak confidential details or even harm the machine. Be extremely careful
10+
when using code from someone else.
11+
612
## Jinja2
713

814
The templating feature is based on

Diff for: peering_manager/jinja2/__init__.py

+3-2
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,10 @@ def render_jinja2(template, context, trim=False, lstrip=False):
1010
import traceback
1111

1212
from django.conf import settings
13-
from jinja2 import Environment, TemplateSyntaxError
13+
from jinja2 import TemplateSyntaxError
14+
from jinja2.sandbox import SandboxedEnvironment
1415

15-
environment = Environment(
16+
environment = SandboxedEnvironment(
1617
loader=PeeringManagerLoader(), trim_blocks=trim, lstrip_blocks=lstrip
1718
)
1819
environment.add_extension(IncludeTemplateExtension)

0 commit comments

Comments
 (0)