You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Jinja2 sandbox escape via string formatting
High severity
GitHub Reviewed
Published
Apr 10, 2019
to the GitHub Advisory Database
•
Updated Aug 30, 2023
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
The sandbox is used to restrict what code can be evaluated when rendering untrusted, user-provided templates. Due to the way string formatting works in Python, the str.format_map method could be used to escape the sandbox.
This issue was previously addressed for the str.format method in Jinja 2.8.1, which discusses the issue in detail. However, the less-common str.format_map method was overlooked. This release applies the same sandboxing to both methods.
If you cannot upgrade Jinja, you can override the is_safe_attribute method on the sandbox and explicitly disallow the format_map method on string objects.
In Pallets Jinja before 2.10.1,
str.format_mapallows a sandbox escape.The sandbox is used to restrict what code can be evaluated when rendering untrusted, user-provided templates. Due to the way string formatting works in Python, the
str.format_mapmethod could be used to escape the sandbox.This issue was previously addressed for the
str.formatmethod in Jinja 2.8.1, which discusses the issue in detail. However, the less-commonstr.format_mapmethod was overlooked. This release applies the same sandboxing to both methods.If you cannot upgrade Jinja, you can override the
is_safe_attributemethod on the sandbox and explicitly disallow theformat_mapmethod on string objects.References