Sandbox template rendering

Justin_Sherrill · November 22, 2010, 8:02pm

Hi all,

This is really intended more for developers, but with the future
introduction of upload-able kickstart/jumpstart/etc templates, we need
to ensure that templates are rendered safely.

Ohad had pointed me to the following project:

https://github.com/svenfuchs/safemode

It is still quite experimental, but from my tests it seemed very
promising. It will require a bit of explicitly telling the sandbox
what is allowed and what is not.

By default it doesn't allow any access to model attributes. For
example '@host.name' would fail without adding the following to the
host model:

class Jail < Safemode::Jail
allow :name
end

so we would need to add this in all the models that would need to be
accessed (environment, operating system, etc…).

Also, when doing the rendering, none of the local variables or helper
methods are available, so you'd have to do something like this:

def safe_render(template)
box = Safemode::Box.new self, [:foreman_url, :grub_pass]
box.eval(ERB.new(template).src, {:host=>@host})
end

So this does a few things, it exposes the 'foreman_url' and
'grub_pass' method to the template, as well as exposes the 'host'
variable to it. So all needed variables and methods will have to be
explicitly given to the sandbox.

Thoughts?

-Justin

Justin_Sherrill · November 22, 2010, 9:28pm

>>
>> Hi all,
>>
>> This is really intended more for developers, but with the future
>> introduction of upload-able kickstart/jumpstart/etc templates, we need
>> to ensure that templates are rendered safely.
>>
>> Ohad had pointed me to the following project:
>>
>> https://github.com/svenfuchs/safemode
>>
>> It is still quite experimental, but from my tests it seemed very
>> promising. It will require a bit of explicitly telling the sandbox
>> what is allowed and what is not.
>>
>> By default it doesn't allow any access to model attributes. For
>> example '@host.name' would fail without adding the following to the
>> host model:
>>
>> class Jail< Safemode::Jail
>> allow :name
>> end
>>
>>
>> so we would need to add this in all the models that would need to be
>> accessed (environment, operating system, etc…).
>>
>>
>> Also, when doing the rendering, none of the local variables or helper
>> methods are available, so you'd have to do something like this:
>>
>> def safe_render(template)
>> box = Safemode::Box.new self, [:foreman_url, :grub_pass]
>> box.eval(ERB.new(template).src, {:host=>@host})
>> end
>>
>
>
> This does protect from known attack vectors with server side templating. I
> dont know how often they are exploited, but it would be cool.

This exact issue was a serious issue with cobbler not too long ago,
and took a while to come up with a fix for. I figured we should
tackle it while creating the multi-template feature rather than
waiting for someone to find it.

-Justin

···

On Mon, Nov 22, 2010 at 4:11 PM, Bryan Kearney wrote: > On 11/22/2010 03:02 PM, Justin Sherrill wrote:

– bk