Security: Prevent users being able to access unsafe builtin attributes w/ jinja expressions - CVE-2025-14700 (!927) · Merge requests · Crafty Controller / Crafty 4

What does this MR do and why?

Replaces generic Jinja Environment with a hardened ImmutableSandboxedEnvironment

This now raises an jinja2.exceptions.SecurityError exception when an attempt is made to access unsafe attributes.

Resolves: #646

How to set up and validate locally

Pull Branch
Attempt one of the Jinja expressions listed in parent issue
Review absence of webhook notification and exception in log.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Have you checked this doesn't interfere/conflict/duplicate someone elses work?
Have you fully tested your changes?
Have you resolved any lint issues?
Have you assigned a reviewer?
Have you applied correct labels?

Edited Dec 13, 2025 by Iain Powrie

Security: Prevent users being able to access unsafe builtin attributes w/ jinja expressions - CVE-2025-14700

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports