mirror of
https://github.com/dgtlmoon/changedetection.io.git
synced 2025-11-02 23:57:22 +00:00
bd6eda696c
* CVE-2024-32651 - Security fix - Server Side Template Injection in Jinja2 allows Remote Command Execution * use ImmutableSandboxedEnvironment also in validation
19 lines
556 B
Python
19 lines
556 B
Python
"""
|
|
Safe Jinja2 render with max payload sizes
|
|
|
|
See https://jinja.palletsprojects.com/en/3.1.x/sandbox/#security-considerations
|
|
"""
|
|
|
|
import jinja2.sandbox
|
|
import typing as t
|
|
import os
|
|
|
|
JINJA2_MAX_RETURN_PAYLOAD_SIZE = 1024 * int(os.getenv("JINJA2_MAX_RETURN_PAYLOAD_SIZE_KB", 1024 * 10))
|
|
|
|
|
|
def render(template_str, **args: t.Any) -> str:
|
|
jinja2_env = jinja2.sandbox.ImmutableSandboxedEnvironment(extensions=['jinja2_time.TimeExtension'])
|
|
output = jinja2_env.from_string(template_str).render(args)
|
|
return output[:JINJA2_MAX_RETURN_PAYLOAD_SIZE]
|
|
|