Sync from SUSE:ALP:Source:Standard:1.0 saltbundlepy-jinja2 revision d16a57b2c9cd75f48105dc69a870c0d6
This commit is contained in:
73
CVE-2024-34064.patch
Normal file
73
CVE-2024-34064.patch
Normal file
@@ -0,0 +1,73 @@
|
||||
Index: Jinja2-3.1.2/src/jinja2/filters.py
|
||||
===================================================================
|
||||
--- Jinja2-3.1.2.orig/src/jinja2/filters.py
|
||||
+++ Jinja2-3.1.2/src/jinja2/filters.py
|
||||
@@ -172,6 +172,11 @@ def do_urlencode(
|
||||
)
|
||||
|
||||
|
||||
+# Check for characters that would move the parser state from key to value.
|
||||
+# https://html.spec.whatwg.org/#attribute-name-state
|
||||
+_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII)
|
||||
+
|
||||
+
|
||||
@pass_eval_context
|
||||
def do_replace(
|
||||
eval_ctx: "EvalContext", s: str, old: str, new: str, count: t.Optional[int] = None
|
||||
@@ -253,8 +258,15 @@ def do_xmlattr(
|
||||
eval_ctx: "EvalContext", d: t.Mapping[str, t.Any], autospace: bool = True
|
||||
) -> str:
|
||||
"""Create an SGML/XML attribute string based on the items in a dict.
|
||||
- All values that are neither `none` nor `undefined` are automatically
|
||||
- escaped:
|
||||
+
|
||||
+ **Values** that are neither ``none`` nor ``undefined`` are automatically
|
||||
+ escaped, safely allowing untrusted user input.
|
||||
+
|
||||
+ User input should not be used as **keys** to this filter. If any key
|
||||
+ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals
|
||||
+ sign, this fails with a ``ValueError``. Regardless of this, user input
|
||||
+ should never be used as keys to this filter, or must be separately validated
|
||||
+ first.
|
||||
|
||||
.. sourcecode:: html+jinja
|
||||
|
||||
@@ -274,11 +286,18 @@ def do_xmlattr(
|
||||
As you can see it automatically prepends a space in front of the item
|
||||
if the filter returned something unless the second parameter is false.
|
||||
"""
|
||||
- rv = " ".join(
|
||||
- f'{escape(key)}="{escape(value)}"'
|
||||
- for key, value in d.items()
|
||||
- if value is not None and not isinstance(value, Undefined)
|
||||
- )
|
||||
+
|
||||
+ items = []
|
||||
+ for key, value in d.items():
|
||||
+ if value is None or isinstance(value, Undefined):
|
||||
+ continue
|
||||
+
|
||||
+ if _attr_key_re.search(key) is not None:
|
||||
+ raise ValueError("Invalid character in attribute name: %s" % repr(key))
|
||||
+
|
||||
+ items.append(f'{escape(key)}="{escape(value)}"')
|
||||
+
|
||||
+ rv = " ".join(items)
|
||||
|
||||
if autospace and rv:
|
||||
rv = " " + rv
|
||||
Index: Jinja2-3.1.2/tests/test_filters.py
|
||||
===================================================================
|
||||
--- Jinja2-3.1.2.orig/tests/test_filters.py
|
||||
+++ Jinja2-3.1.2/tests/test_filters.py
|
||||
@@ -871,3 +871,10 @@ class TestFilter:
|
||||
with pytest.raises(TemplateRuntimeError, match="No filter named 'f'"):
|
||||
t1.render(x=42)
|
||||
t2.render(x=42)
|
||||
+
|
||||
+ @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "="))
|
||||
+ def test_xmlattr_key_invalid(self, env, sep):
|
||||
+ with pytest.raises(ValueError, match="Invalid character"):
|
||||
+ env.from_string("{{ {key: 'my_class'}|xmlattr }}").render(
|
||||
+ key=f"class{sep}onclick=alert(1)"
|
||||
+ )
|
64
CVE-2024-56201.patch
Normal file
64
CVE-2024-56201.patch
Normal file
@@ -0,0 +1,64 @@
|
||||
From 56a724644b1ad9cb03745c10cca732715cdc79e9 Mon Sep 17 00:00:00 2001
|
||||
From: Sigurd Spieckermann <sigurd.spieckermann@gmail.com>
|
||||
Date: Fri, 26 May 2023 14:32:36 +0200
|
||||
Subject: [PATCH] fix f-string syntax error in code generation
|
||||
|
||||
---
|
||||
src/jinja2/compiler.py | 7 ++++++-
|
||||
tests/test_compile.py | 19 +++++++++++++++++++
|
||||
2 files changed, 25 insertions(+), 1 deletion(-)
|
||||
|
||||
Index: Jinja2-3.1.2/src/jinja2/compiler.py
|
||||
===================================================================
|
||||
--- Jinja2-3.1.2.orig/src/jinja2/compiler.py
|
||||
+++ Jinja2-3.1.2/src/jinja2/compiler.py
|
||||
@@ -1122,9 +1122,14 @@ class CodeGenerator(NodeVisitor):
|
||||
)
|
||||
self.writeline(f"if {frame.symbols.ref(alias)} is missing:")
|
||||
self.indent()
|
||||
+ # The position will contain the template name, and will be formatted
|
||||
+ # into a string that will be compiled into an f-string. Curly braces
|
||||
+ # in the name must be replaced with escapes so that they will not be
|
||||
+ # executed as part of the f-string.
|
||||
+ position = self.position(node).replace("{", "{{").replace("}", "}}")
|
||||
message = (
|
||||
"the template {included_template.__name__!r}"
|
||||
- f" (imported on {self.position(node)})"
|
||||
+ f" (imported on {position})"
|
||||
f" does not export the requested name {name!r}"
|
||||
)
|
||||
self.writeline(
|
||||
Index: Jinja2-3.1.2/tests/test_compile.py
|
||||
===================================================================
|
||||
--- Jinja2-3.1.2.orig/tests/test_compile.py
|
||||
+++ Jinja2-3.1.2/tests/test_compile.py
|
||||
@@ -1,6 +1,9 @@
|
||||
import os
|
||||
import re
|
||||
|
||||
+import pytest
|
||||
+
|
||||
+from jinja2 import UndefinedError
|
||||
from jinja2.environment import Environment
|
||||
from jinja2.loaders import DictLoader
|
||||
|
||||
@@ -26,3 +29,19 @@ def test_import_as_with_context_determin
|
||||
expect = [f"'bar{i}': " for i in range(10)]
|
||||
found = re.findall(r"'bar\d': ", content)[:10]
|
||||
assert found == expect
|
||||
+
|
||||
+
|
||||
+def test_undefined_import_curly_name():
|
||||
+ env = Environment(
|
||||
+ loader=DictLoader(
|
||||
+ {
|
||||
+ "{bad}": "{% from 'macro' import m %}{{ m() }}",
|
||||
+ "macro": "",
|
||||
+ }
|
||||
+ )
|
||||
+ )
|
||||
+
|
||||
+ # Must not raise `NameError: 'bad' is not defined`, as that would indicate
|
||||
+ # that `{bad}` is being interpreted as an f-string. It must be escaped.
|
||||
+ with pytest.raises(UndefinedError):
|
||||
+ env.get_template("{bad}").render()
|
169
CVE-2024-56326.patch
Normal file
169
CVE-2024-56326.patch
Normal file
@@ -0,0 +1,169 @@
|
||||
From 91a972f5808973cd441f4dc06873b2f8378f30c7 Mon Sep 17 00:00:00 2001
|
||||
From: Lydxn <hlyndon20@gmail.com>
|
||||
Date: Mon, 23 Sep 2024 15:09:10 -0700
|
||||
Subject: [PATCH] sandbox indirect calls to str.format
|
||||
|
||||
---
|
||||
src/jinja2/sandbox.py | 81 ++++++++++++++++++++++--------------------
|
||||
tests/test_security.py | 17 +++++++++
|
||||
2 files changed, 60 insertions(+), 38 deletions(-)
|
||||
|
||||
Index: Jinja2-3.1.2/src/jinja2/sandbox.py
|
||||
===================================================================
|
||||
--- Jinja2-3.1.2.orig/src/jinja2/sandbox.py
|
||||
+++ Jinja2-3.1.2/src/jinja2/sandbox.py
|
||||
@@ -7,6 +7,7 @@ import typing as t
|
||||
from _string import formatter_field_name_split # type: ignore
|
||||
from collections import abc
|
||||
from collections import deque
|
||||
+from functools import update_wrapper
|
||||
from string import Formatter
|
||||
|
||||
from markupsafe import EscapeFormatter
|
||||
@@ -80,20 +81,6 @@ _mutable_spec: t.Tuple[t.Tuple[t.Type, t
|
||||
)
|
||||
|
||||
|
||||
-def inspect_format_method(callable: t.Callable) -> t.Optional[str]:
|
||||
- if not isinstance(
|
||||
- callable, (types.MethodType, types.BuiltinMethodType)
|
||||
- ) or callable.__name__ not in ("format", "format_map"):
|
||||
- return None
|
||||
-
|
||||
- obj = callable.__self__
|
||||
-
|
||||
- if isinstance(obj, str):
|
||||
- return obj
|
||||
-
|
||||
- return None
|
||||
-
|
||||
-
|
||||
def safe_range(*args: int) -> range:
|
||||
"""A range that can't generate ranges with a length of more than
|
||||
MAX_RANGE items.
|
||||
@@ -313,6 +300,9 @@ class SandboxedEnvironment(Environment):
|
||||
except AttributeError:
|
||||
pass
|
||||
else:
|
||||
+ fmt = self.wrap_str_format(value)
|
||||
+ if fmt is not None:
|
||||
+ return fmt
|
||||
if self.is_safe_attribute(obj, argument, value):
|
||||
return value
|
||||
return self.unsafe_undefined(obj, argument)
|
||||
@@ -330,6 +320,9 @@ class SandboxedEnvironment(Environment):
|
||||
except (TypeError, LookupError):
|
||||
pass
|
||||
else:
|
||||
+ fmt = self.wrap_str_format(value)
|
||||
+ if fmt is not None:
|
||||
+ return fmt
|
||||
if self.is_safe_attribute(obj, attribute, value):
|
||||
return value
|
||||
return self.unsafe_undefined(obj, attribute)
|
||||
@@ -345,34 +338,49 @@ class SandboxedEnvironment(Environment):
|
||||
exc=SecurityError,
|
||||
)
|
||||
|
||||
- def format_string(
|
||||
- self,
|
||||
- s: str,
|
||||
- args: t.Tuple[t.Any, ...],
|
||||
- kwargs: t.Dict[str, t.Any],
|
||||
- format_func: t.Optional[t.Callable] = None,
|
||||
- ) -> str:
|
||||
- """If a format call is detected, then this is routed through this
|
||||
- method so that our safety sandbox can be used for it.
|
||||
+ def wrap_str_format(self, value: t.Any) -> t.Optional[t.Callable[..., str]]:
|
||||
+ """If the given value is a ``str.format`` or ``str.format_map`` method,
|
||||
+ return a new function than handles sandboxing. This is done at access
|
||||
+ rather than in :meth:`call`, so that calls made without ``call`` are
|
||||
+ also sandboxed.
|
||||
"""
|
||||
+ if not isinstance(
|
||||
+ value, (types.MethodType, types.BuiltinMethodType)
|
||||
+ ) or value.__name__ not in ("format", "format_map"):
|
||||
+ return None
|
||||
+
|
||||
+ f_self: t.Any = value.__self__
|
||||
+
|
||||
+ if not isinstance(f_self, str):
|
||||
+ return None
|
||||
+
|
||||
+ str_type: t.Type[str] = type(f_self)
|
||||
+ is_format_map = value.__name__ == "format_map"
|
||||
formatter: SandboxedFormatter
|
||||
- if isinstance(s, Markup):
|
||||
- formatter = SandboxedEscapeFormatter(self, escape=s.escape)
|
||||
+
|
||||
+ if isinstance(f_self, Markup):
|
||||
+ formatter = SandboxedEscapeFormatter(self, escape=f_self.escape)
|
||||
else:
|
||||
formatter = SandboxedFormatter(self)
|
||||
|
||||
- if format_func is not None and format_func.__name__ == "format_map":
|
||||
- if len(args) != 1 or kwargs:
|
||||
- raise TypeError(
|
||||
- "format_map() takes exactly one argument"
|
||||
- f" {len(args) + (kwargs is not None)} given"
|
||||
- )
|
||||
+ vformat = formatter.vformat
|
||||
+
|
||||
+ def wrapper(*args: t.Any, **kwargs: t.Any) -> str:
|
||||
+ if is_format_map:
|
||||
+ if kwargs:
|
||||
+ raise TypeError("format_map() takes no keyword arguments")
|
||||
+
|
||||
+ if len(args) != 1:
|
||||
+ raise TypeError(
|
||||
+ f"format_map() takes exactly one argument ({len(args)} given)"
|
||||
+ )
|
||||
+
|
||||
+ kwargs = args[0]
|
||||
+ args = ()
|
||||
|
||||
- kwargs = args[0]
|
||||
- args = ()
|
||||
+ return str_type(vformat(f_self, args, kwargs))
|
||||
|
||||
- rv = formatter.vformat(s, args, kwargs)
|
||||
- return type(s)(rv)
|
||||
+ return update_wrapper(wrapper, value)
|
||||
|
||||
def call(
|
||||
__self, # noqa: B902
|
||||
@@ -382,9 +390,6 @@ class SandboxedEnvironment(Environment):
|
||||
**kwargs: t.Any,
|
||||
) -> t.Any:
|
||||
"""Call an object from sandboxed code."""
|
||||
- fmt = inspect_format_method(__obj)
|
||||
- if fmt is not None:
|
||||
- return __self.format_string(fmt, args, kwargs, __obj)
|
||||
|
||||
# the double prefixes are to avoid double keyword argument
|
||||
# errors when proxying the call.
|
||||
Index: Jinja2-3.1.2/tests/test_security.py
|
||||
===================================================================
|
||||
--- Jinja2-3.1.2.orig/tests/test_security.py
|
||||
+++ Jinja2-3.1.2/tests/test_security.py
|
||||
@@ -171,3 +171,20 @@ class TestStringFormatMap:
|
||||
'{{ ("a{x.foo}b{y}"|safe).format_map({"x":{"foo": 42}, "y":"<foo>"}) }}'
|
||||
)
|
||||
assert t.render() == "a42b<foo>"
|
||||
+
|
||||
+ def test_indirect_call(self):
|
||||
+ def run(value, arg):
|
||||
+ return value.run(arg)
|
||||
+
|
||||
+ env = SandboxedEnvironment()
|
||||
+ env.filters["run"] = run
|
||||
+ t = env.from_string(
|
||||
+ """{% set
|
||||
+ ns = namespace(run="{0.__call__.__builtins__[__import__]}".format)
|
||||
+ %}
|
||||
+ {{ ns | run(not_here) }}
|
||||
+ """
|
||||
+ )
|
||||
+
|
||||
+ with pytest.raises(SecurityError):
|
||||
+ t.render()
|
@@ -1,3 +1,18 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 18 12:36:44 UTC 2025 - Victor Zhestkov <vzhestkov@suse.com>
|
||||
|
||||
- Add security patch CVE-2024-56201.patch (bsc#1234808)
|
||||
- Add security patch CVE-2024-56326.patch (bsc#1234809)
|
||||
|
||||
- Add CVE-2024-34064.patch upstream patch
|
||||
(CVE-2024-34064, bsc#1223980, gh#pallets/jinja@0668239dc6b4)
|
||||
Also fixes (CVE-2024-22195, bsc#1218722)
|
||||
|
||||
- Added:
|
||||
* CVE-2024-56201.patch
|
||||
* CVE-2024-56326.patch
|
||||
* CVE-2024-34064.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Dec 14 16:28:10 UTC 2023 - Victor Zhestkov <vzhestkov@suse.com>
|
||||
|
||||
|
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package saltbundlepy-jinja2
|
||||
#
|
||||
# Copyright (c) 2021 SUSE LLC
|
||||
# Copyright (c) 2025 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@@ -19,10 +19,6 @@
|
||||
%{?!saltbundlepy_module:%define saltbundlepy_module() saltbundlepy-%{**}}
|
||||
%define pythons saltbundlepy
|
||||
|
||||
# Disable python bytecompile for all distros
|
||||
# It's called explicitly in the spec
|
||||
%global __brp_python_bytecompile %{nil}
|
||||
|
||||
Name: saltbundlepy-jinja2
|
||||
Version: 3.1.2
|
||||
Release: 0
|
||||
@@ -31,7 +27,13 @@ License: BSD-3-Clause
|
||||
Group: Development/Languages/Python
|
||||
URL: https://jinja.palletsprojects.com
|
||||
Source: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz
|
||||
BuildRequires: %{saltbundlepy_module devel >= 3.10}
|
||||
# PATCH-FIX-UPSTREAM CVE-2024-34064.patch gh#pallets/jinja@0668239dc6b4
|
||||
Patch0: CVE-2024-34064.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2024-56201.patch
|
||||
Patch1: CVE-2024-56201.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2024-56326.patch
|
||||
Patch2: CVE-2024-56326.patch
|
||||
BuildRequires: %{saltbundlepy_module devel >= 3.11}
|
||||
BuildRequires: %{saltbundlepy_module markupsafe}
|
||||
BuildRequires: %{saltbundlepy_module setuptools}
|
||||
BuildRequires: fdupes
|
||||
@@ -47,8 +49,7 @@ inspired non-XML syntax but supports inline expressions and an optional
|
||||
sandboxed environment.
|
||||
|
||||
%prep
|
||||
%setup -q -n Jinja2-%{version}
|
||||
%autopatch -p1
|
||||
%autosetup -p1 -n Jinja2-%{version}
|
||||
|
||||
%build
|
||||
%python_build
|
||||
|
Reference in New Issue
Block a user