From 1cf2f009edf7d06e47250a364d1ae9302247c657 Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Tue, 7 Jul 2020 10:59:14 -0400
Subject: [PATCH] prevent unsafe jinja from being saved in the first place for
 cred types

see: https://github.com/ansible/tower-security/issues/21
---
 awx/main/fields.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/awx/main/fields.py b/awx/main/fields.py
index a1900294fa..0122b0ab80 100644
--- a/awx/main/fields.py
+++ b/awx/main/fields.py
@@ -7,8 +7,8 @@ import json
 import re
 import urllib.parse
 
-from jinja2 import Environment, StrictUndefined
-from jinja2.exceptions import UndefinedError, TemplateSyntaxError
+from jinja2 import sandbox, StrictUndefined
+from jinja2.exceptions import UndefinedError, TemplateSyntaxError, SecurityError
 
 # Django
 from django.contrib.postgres.fields import JSONField as upstream_JSONBField
@@ -940,7 +940,7 @@ class CredentialTypeInjectorField(JSONSchemaField):
                     self.validate_env_var_allowed(key)
             for key, tmpl in injector.items():
                 try:
-                    Environment(
+                    sandbox.ImmutableSandboxedEnvironment(
                         undefined=StrictUndefined
                     ).from_string(tmpl).render(valid_namespace)
                 except UndefinedError as e:
@@ -950,6 +950,10 @@ class CredentialTypeInjectorField(JSONSchemaField):
                         code='invalid',
                         params={'value': value},
                     )
+                except SecurityError as e:
+                    raise django_exceptions.ValidationError(
+                        _('Encountered unsafe code execution: {}').format(e)
+                    )
                 except TemplateSyntaxError as e:
                     raise django_exceptions.ValidationError(
                         _('Syntax error rendering template for {sub_key} inside of {type} ({error_msg})').format(