Template rendering - Safemode

obol89 · February 13, 2020, 8:42am

Hi,

I’m using Foreman 1.23 and I’m trying to write my own template. Unfortunately, I have a few similar issues where Safemode doesn’t allow to access some variables or resources.
Error example:
There was an error rendering the kickstart_centos7 template: Safemode doesn't allow to access 'section_end' on #<Safemode::ScopeObject>

I had a similar issue with img_name

What is the reason of these errors? Thank you for help.

areyus · February 13, 2020, 8:50am

Hi,

the reason for these errors is, that safemode rendering for ERB templates is enabled by default in Foreman.
This is done to protect certain parts of potentially sensitive data to leak via templates and to prevent arbitrary code execution on the Foreman.
Depending on who uses the Foreman on your site and how you use it, this may or may not be useful to you.
Some information on this topic can be found on the wikipage on template writing. There is also information on how to turn safemode off if it is not relevant to you.

Regards

Marek_Hulan · February 14, 2020, 8:32am

I’d just add that adding more methods to the safemode whitelist is usually easy. However the img_name and section_end are a local variable used in Kickstart Default template, perhaps you’re trying to access it before it’s defined or outside of it’s scope. It would probably help if you upload the template you’re trying to write. Here’s how these variables gets defined in Kickstart Default

github.com

theforeman/community-templates/blob/develop/provisioning_templates/provision/kickstart_default.erb#L52


os_major = @host.operatingsystem.major.to_i
os_minor = @host.operatingsystem.minor.to_i
realm_compatible = (@host.operatingsystem.name == 'Fedora' && os_major >= 20) || (rhel_compatible && os_major >= 7)
# safemode renderer does not support unary negation
pm_set = @host.puppetmaster.empty? ? false : true
proxy_uri = host_param('http-proxy') ? "http://#{host_param('http-proxy')}:#{host_param('http-proxy-port')}" : nil
proxy_string = proxy_uri ? " --proxy=#{proxy_uri}" : ''
puppet_enabled = pm_set || host_param_true?('force-puppet')
salt_enabled = host_param('salt_master') ? true : false
chef_enabled = @host.respond_to?(:chef_proxy) && @host.chef_proxy
section_end = (rhel_compatible && os_major <= 5) ? '' : '%end'
use_ntp = host_param_true?('use-ntp') || (is_fedora && os_major < 16) || (rhel_compatible && os_major <= 7)
iface = @host.provision_interface
network_options = []
if (is_fedora && os_major >= 14 ) || (rhel_compatible && os_major >= 6)
  network_options.push("--device=#{@host.mac}")
end


if iface.tag.present? && iface.attached_to.present?
  network_options.push("--vlanid=#{iface.tag}")
  if (is_fedora && os_major >= 17) || (rhel_compatible && os_major >= 7)

github.com

theforeman/community-templates/blob/develop/provisioning_templates/provision/kickstart_default.erb#L73


      network_options.push("--interfacename=vlan#{iface.tag}")
    end
  end
-%>


<% if (is_fedora && os_major < 29) || (rhel_compatible && os_major <= 7) -%>
install
<% end -%>
<%
if host_param('kickstart_liveimg')
  img_name = host_param('kickstart_liveimg')
  liveimg_url = if host_param('kt_activation_keys')
    repository_url(img_name, 'isos')
  else
    if img_name.match(%r|^([\w\-\+]+)://|)
      img_name
    else
      "#{medium_uri}/#{img_name}"
    end
  end
%>

obol89 · February 14, 2020, 8:37am

Thank you! I just missed defining the local variables. @areyus your answer was also really helpful.