[Django] #33986: Code formatters should be looked up before template rendering in startapp/startproject

9 views
Skip to first unread message

Django

unread,
Sep 6, 2022, 1:13:20 PM9/6/22
to django-...@googlegroups.com
#33986: Code formatters should be looked up before template rendering in
startapp/startproject
-------------------------------------+-------------------------------------
Reporter: Shai | Owner: Shai Berger
Berger |
Type: | Status: assigned
Cleanup/optimization |
Component: Core | Version: dev
(Management commands) |
Severity: Normal | Keywords: hardening
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
The Security Team received a report about "binary planting" in custom
templates for the {{{startproject}}} and {{{startapp}}} commands:

- These commands use the {{{black}}} code formatter if it is installed, so
they look for it as an executable on the system path;
- Under some circumstances, the template used for the new project or app
will be rendered onto the path (e.g. on Windows the current directory is
on the system path by default, and although this is not the default, the
template may be rendered into the current directory);
- In the current code, {{{black}}} is only looked up when it is time to
run it, that is, after the template has been rendered
- So if all the stars above align "correctly", the management command may
execute a {{{black}}} command that is included in the template
- Custom templates can be specified using a remote URL -- in that case,
downloaded code would be executed immediately

The Security Team decided that this should not be treated as a
vulnerability, since custom templates already get very wide access via the
Django Template Language. It still seemed worthwhile to change things so
that the lookup should happen before the custom template can affect the
choice of executable, and to amplify the warnings in the documentation
that custom templates are treated as trusted code.

Thanks Trung Pham of Viettel Cyber Security for the report

--
Ticket URL: <https://code.djangoproject.com/ticket/33986>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Sep 6, 2022, 1:25:15 PM9/6/22
to django-...@googlegroups.com
#33986: Code formatters should be looked up before template rendering in
startapp/startproject
-------------------------------------+-------------------------------------
Reporter: Shai Berger | Owner: Shai
Type: | Berger
Cleanup/optimization | Status: assigned
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: hardening | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak):

* has_patch: 0 => 1
* stage: Unreviewed => Accepted


Comment:

[https://github.com/django/django/pull/15999 PR]

--
Ticket URL: <https://code.djangoproject.com/ticket/33986#comment:1>

Django

unread,
Sep 7, 2022, 4:12:57 AM9/7/22
to django-...@googlegroups.com
#33986: Code formatters should be looked up before template rendering in
startapp/startproject
-------------------------------------+-------------------------------------
Reporter: Shai Berger | Owner: Shai
Type: | Berger
Cleanup/optimization | Status: assigned
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: hardening | Triage Stage: Ready for
| checkin

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Carlton Gibson):

* stage: Accepted => Ready for checkin


--
Ticket URL: <https://code.djangoproject.com/ticket/33986#comment:2>

Django

unread,
Sep 7, 2022, 5:09:29 AM9/7/22
to django-...@googlegroups.com
#33986: Code formatters should be looked up before template rendering in
startapp/startproject
-------------------------------------+-------------------------------------
Reporter: Shai Berger | Owner: Shai
Type: | Berger
Cleanup/optimization | Status: closed

Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution: fixed

Keywords: hardening | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Carlton Gibson <carlton@…>):

* status: assigned => closed
* resolution: => fixed


Comment:

In [changeset:"42cd8c390d5f165fd7f6bbdffafd2aa4c2d9a32a" 42cd8c3]:
{{{
#!CommitTicketReference repository=""
revision="42cd8c390d5f165fd7f6bbdffafd2aa4c2d9a32a"
Fixed #33986 -- Hardened binary lookup in template commands.

Made template commands look up formatters before writing files.
This makes sure files included in the template are not identified
as executable formatter commands, even in case the template is
rendered into the system path (as might easily happen on Windows,
where the current directory is on the system path by default).

While at it, Warned about trusting custom templates for
startapp/startproject.

Thanks Trung Pham of Viettel Cyber Security for reporting the issue,
Django Security Team for discussions, and Adam Johnson and
Carlton Gibson for reviews.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/33986#comment:3>

Reply all
Reply to author
Forward
0 new messages