weblate icon indicating copy to clipboard operation
weblate copied to clipboard
verified publisher icon WeblateOrg

fix(weblate): Server Side Template Injection on render_template `jinja2.sandbox`

Open kreeksec opened this issue 6 months ago • 1 comments

https://github.com/WeblateOrg/weblate/blob/10ca938b5fe85a5fb9ada89483c84c5db8feb7a3/weblate/utils/render.py#L99-L99

Fix the issue render_template function should use a sandboxed environment for template rendering. Django's template system does not provide a built-in sandbox, but switching to Jinja2's SandboxedEnvironment can address this issue. The SandboxedEnvironment restricts access to unsafe methods and attributes, preventing remote code execution.

Steps to implement the fix:

  1. Import SandboxedEnvironment from jinja2.sandbox.
  2. Replace the Template constructor with SandboxedEnvironment().from_string(template) in the render_template function.
  3. Ensure that the kwargs passed to the template rendering are properly escaped to prevent cross-site scripting (XSS).

Server-Side Template Injection

kreeksec avatar Jun 04 '25 08:06 kreeksec

That's the purpose of the RestrictedEngine, did you spot any issue in its implementation? Furthermore, jinja2 is currently not a runtime dependency of Weblate.

nijel avatar Jun 09 '25 09:06 nijel

This pull request has been automatically marked as stale because there wasn’t any recent activity.

It will be closed soon if no further action occurs.

Thank you for your contributions!

github-actions[bot] avatar Jul 10 '25 02:07 github-actions[bot]