Merge pull request #202 from peopledoc/sandbox

Author: Joachim Jablon

tests/unit/test_client_base.py

@@ -461,6 +461,23 @@ def test_vault_client_base_render_template(vault):
     assert vault.render_template("Hello {{ vault('a/b').value }}") == "Hello c"
 
 
+def test_vault_client_base_render_template_error(vault):
+
+    with pytest.raises(exceptions.VaultRenderTemplateError):
+        assert vault.render_template("Hello {{ vault(") == "Hello c"
+
+
+def test_vault_client_base_render_template_security_error(vault):
+
+    with pytest.raises(exceptions.VaultRenderTemplateError):
+        assert (
+            vault.render_template(
+                "Hello {{ joiner.__init__.__globals__.os.popen('date') }}"
+            )
+            == "Hello c"
+        )
+
+
 @pytest.mark.parametrize("template", ["Hello {{ vault('a/b') }}", "Hello {{"])
 def test_vault_client_base_render_template_path_not_found(vault, template):
     with pytest.raises(exceptions.VaultRenderTemplateError):

vault_cli/client.py

@@ -6,6 +6,7 @@
 
 import hvac  # type: ignore
 import jinja2
+import jinja2.sandbox
 import requests.packages.urllib3
 
 from vault_cli import exceptions, sessions, settings, types, utils
@@ -515,12 +516,16 @@ def vault(path):
                     "Error while rendering template"
                 ) from exc
 
-        env = jinja2.Environment(
+        env = jinja2.sandbox.SandboxedEnvironment(
             loader=jinja2.FileSystemLoader(search_path.as_posix()),
             keep_trailing_newline=True,
         )
         try:
             return env.from_string(template).render(vault=vault)
+        except jinja2.exceptions.SecurityError as exc:
+            raise exceptions.VaultRenderTemplateError(
+                "Jinja2 template security error"
+            ) from exc
         except jinja2.exceptions.TemplateSyntaxError as exc:
             raise exceptions.VaultRenderTemplateError(
                 "Jinja2 template syntax error"