From c045bfd37bc91b09b31a232b7a53d1fba1958f96 Mon Sep 17 00:00:00 2001 From: Zedifus Date: Sat, 13 Dec 2025 18:38:35 +0000 Subject: [PATCH 1/3] Replace generic Jinja `Environment` with an `ImmutableSandboxedEnvironment` Resolves users being able to access unsafe builtin attributes w/ jinja expressions Co-Authored-By: @rchar --- app/classes/web/webhooks/base_webhook.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/app/classes/web/webhooks/base_webhook.py b/app/classes/web/webhooks/base_webhook.py index e031903e..5824a47b 100644 --- a/app/classes/web/webhooks/base_webhook.py +++ b/app/classes/web/webhooks/base_webhook.py @@ -3,7 +3,8 @@ import logging import datetime import time import requests -from jinja2 import Environment, BaseLoader +from jinja2 import BaseLoader +from jinja2.sandbox import ImmutableSandboxedEnvironment from app.classes.helpers.helpers import Helpers @@ -11,6 +12,13 @@ logger = logging.getLogger(__name__) helper = Helpers() +class CraftyRestrictedEnvironment(ImmutableSandboxedEnvironment): + def is_safe_attribute(self, obj, attr, value): + if attr.startswith("_"): + return False + return super().is_safe_attribute(obj, attr, value) + + class WebhookProvider(ABC): """ Base class for all webhook providers. @@ -20,7 +28,7 @@ class WebhookProvider(ABC): """ def __init__(self): - self.jinja_env = Environment( + self.jinja_env = CraftyRestrictedEnvironment( loader=BaseLoader(), autoescape=True, ) -- GitLab From 2e1c007ce7c76d6fc384006371e540584357cff3 Mon Sep 17 00:00:00 2001 From: Zedifus Date: Sat, 13 Dec 2025 18:38:52 +0000 Subject: [PATCH 2/3] Update changelog !927 --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d65cdb9a..d53076e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,12 @@ # Changelog ## --- [4.6.2] - 2025/TBD +## NOTE From this version onwards, Python 3.9 will no longer work with Crafty + ### New features TBD ### Bug fixes - Refactor translation parsing on creation pages ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/925)) +- Security: Prevent users being able to access unsafe builtin attributes w/ jinja expressions ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/927)) ### Tweaks - Update documentation reference url in API index ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/921)) - Bump Orjson to 3.11.4 to resolve support for Python 3.14 ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/922)) -- GitLab From f78e1fdf209ff779d4e5bef66793f8d526f1d673 Mon Sep 17 00:00:00 2001 From: Zedifus Date: Sun, 14 Dec 2025 15:09:18 +0000 Subject: [PATCH 3/3] Update changelog !927 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d53076e7..5b3ba3a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ TBD ### Bug fixes - Refactor translation parsing on creation pages ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/925)) -- Security: Prevent users being able to access unsafe builtin attributes w/ jinja expressions ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/927)) +- [`CVE-2025-14700`] Security: Prevent users being able to access unsafe builtin attributes w/ jinja expressions ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/927)) ### Tweaks - Update documentation reference url in API index ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/921)) - Bump Orjson to 3.11.4 to resolve support for Python 3.14 ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/922)) -- GitLab