| Sandbox |
| ======= |
| |
| The Jinja2 sandbox can be used to evaluate untrusted code. Access to unsafe |
| attributes and methods is prohibited. |
| |
| Assuming `env` is a :class:`SandboxedEnvironment` in the default configuration |
| the following piece of code shows how it works: |
| |
| >>> env.from_string("{{ func.func_code }}").render(func=lambda:None) |
| u'' |
| >>> env.from_string("{{ func.func_code.do_something }}").render(func=lambda:None) |
| Traceback (most recent call last): |
| ... |
| SecurityError: access to attribute 'func_code' of 'function' object is unsafe. |
| |
| |
| .. module:: ambari_jinja2.sandbox |
| |
| .. autoclass:: SandboxedEnvironment([options]) |
| :members: is_safe_attribute, is_safe_callable |
| |
| .. autoclass:: ImmutableSandboxedEnvironment([options]) |
| |
| .. autoexception:: SecurityError |
| |
| .. autofunction:: unsafe |
| |
| .. autofunction:: is_internal_attribute |
| |
| .. autofunction:: modifies_known_mutable |
| |
| .. admonition:: Note |
| |
| The Jinja2 sandbox alone is no solution for perfect security. Especially |
| for web applications you have to keep in mind that users may create |
| templates with arbitrary HTML in so it's crucial to ensure that (if you |
| are running multiple users on the same server) they can't harm each other |
| via JavaScript insertions and much more. |
| |
| Also the sandbox is only as good as the configuration. We stronly |
| recommend only passing non-shared resources to the template and use |
| some sort of whitelisting for attributes. |
| |
| Also keep in mind that templates may raise runtime or compile time errors, |
| so make sure to catch them. |