Skip to content

Commit

Permalink
security: avoid jinja 3.2.4 (#17)
Browse files Browse the repository at this point in the history 
A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.

To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.

Co-authored-by: Peter Van Bouwel <peter.vanbouwel@vito.be>
  • Loading branch information
@pvbouwel
pvbouwel and Peter Van Bouwel authored Jan 6, 2025
1 parent cdeab87 commit a67b167
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion testing/requirements.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ Flask-Cors==5.0.0
graphql-core==3.2.5
idna==3.10
itsdangerous==2.2.0
Jinja2==3.1.4
Jinja2>=3.1.5, <4
jmespath==1.0.1
joserfc==1.0.0
jsondiff==2.2.1
Expand Down

0 comments on commit a67b167

Please sign in to comment.