Opened 2 years ago

Closed 2 years ago

#33986 closed Cleanup/optimization (fixed)

Code formatters should be looked up before template rendering in startapp/startproject

Reported by: Shai Berger Owned by: Shai Berger
Component: Core (Management commands) Version: dev
Severity: Normal Keywords: hardening
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The Security Team received a report about "binary planting" in custom templates for the startproject and startapp commands:

  • These commands use the black code formatter if it is installed, so they look for it as an executable on the system path;
  • Under some circumstances, the template used for the new project or app will be rendered onto the path (e.g. on Windows the current directory is on the system path by default, and although this is not the default, the template may be rendered into the current directory);
  • In the current code, black is only looked up when it is time to run it, that is, after the template has been rendered
  • So if all the stars above align "correctly", the management command may execute a black command that is included in the template
  • Custom templates can be specified using a remote URL -- in that case, downloaded code would be executed immediately

The Security Team decided that this should not be treated as a vulnerability, since custom templates already get very wide access via the Django Template Language. It still seemed worthwhile to change things so that the lookup should happen before the custom template can affect the choice of executable, and to amplify the warnings in the documentation that custom templates are treated as trusted code.

Thanks Trung Pham of Viettel Cyber Security for the report

Change History (3)

comment:1 by Mariusz Felisiak, 2 years ago

Has patch: set
Triage Stage: UnreviewedAccepted

comment:2 by Carlton Gibson, 2 years ago

Triage Stage: AcceptedReady for checkin

comment:3 by Carlton Gibson <carlton@…>, 2 years ago

Resolution: fixed
Status: assignedclosed

In 42cd8c3:

Fixed #33986 -- Hardened binary lookup in template commands.

Made template commands look up formatters before writing files.
This makes sure files included in the template are not identified
as executable formatter commands, even in case the template is
rendered into the system path (as might easily happen on Windows,
where the current directory is on the system path by default).

While at it, Warned about trusting custom templates for
startapp/startproject.

Thanks Trung Pham of Viettel Cyber Security for reporting the issue,
Django Security Team for discussions, and Adam Johnson and
Carlton Gibson for reviews.

Note: See TracTickets for help on using tickets.
Back to Top