Tests and fix for CVE-2021-25283

salt/utils/templates.py

@@ -11,6 +11,7 @@
 
 import jinja2
 import jinja2.ext
+import jinja2.sandbox
 import salt.utils.data
 import salt.utils.dateutils
 import salt.utils.files
@@ -453,9 +454,11 @@ def opt_jinja_env_helper(opts, optname):
         opt_jinja_env_helper(opt_jinja_env, "jinja_env")
 
     if opts.get("allow_undefined", False):
-        jinja_env = jinja2.Environment(**env_args)
+        jinja_env = jinja2.sandbox.SandboxedEnvironment(**env_args)
     else:
-        jinja_env = jinja2.Environment(undefined=jinja2.StrictUndefined, **env_args)
+        jinja_env = jinja2.sandbox.SandboxedEnvironment(
+            undefined=jinja2.StrictUndefined, **env_args
+        )
 
     tojson_filter = jinja_env.filters.get("tojson")
     indent_filter = jinja_env.filters.get("indent")
@@ -506,6 +509,7 @@ def opt_jinja_env_helper(opts, optname):
     except (
         jinja2.exceptions.TemplateRuntimeError,
         jinja2.exceptions.TemplateSyntaxError,
+        jinja2.exceptions.SecurityError,
     ) as exc:
         trace = traceback.extract_tb(sys.exc_info()[2])
         line, out = _get_jinja_error(trace, context=decoded_context)

tests/unit/utils/test_templates.py

@@ -7,6 +7,7 @@
 import sys
 from pathlib import PurePath, PurePosixPath
 
+import pytest
 import salt.utils.files
 import salt.utils.templates
 from tests.support import mock
@@ -201,6 +202,13 @@ def test_render_cheetah_variable(self):
         res = salt.utils.templates.render_cheetah_tmpl(tmpl, ctx)
         self.assertEqual(res.strip(), "OK")
 
+    def test_render_jinja_cve_2021_25283(self):
+        tmpl = """{{ [].__class__ }}"""
+        ctx = dict(self.context)
+        ctx["var"] = "OK"
+        with pytest.raises(salt.exceptions.SaltRenderError):
+            res = salt.utils.templates.render_jinja_tmpl(tmpl, ctx)
+
 
 class MockRender:
     def __call__(self, tplstr, context, tmplpath=None):