Skip to content

Commit cedec4d

Browse files
brandtkellerbrandtkeller
authored
fix(template): add to dissallowed functions (#4848)
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
1 parent 73825da commit cedec4d

3 files changed

Lines changed: 39 additions & 2 deletions

File tree

COMMUNITY.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ Come say hello! We're on the OpenSSF/Kubernetes Slack workspaces and hold a comm
66
|-------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
77
| Website | [zarf.dev](https://zarf.dev) |
88
| Docs Website | [docs.zarf.dev](https://docs.zarf.dev) |
9-
| OpenSSF Slack Invite | [slack.openssf.org](http://slack.openssf.org/) |
9+
| OpenSSF Slack Invite | [slack.openssf.org](https://slack.openssf.org/) |
1010
| OpenSSF Slack Channel | [#zarf](https://openssf.slack.com/archives/C07AKUMBDMJ) |
1111
| Kubernetes Slack Invite | [kubernetes.slack.com/](https://kubernetes.slack.com/) |
1212
| Kubernetes Slack Channel | [#zarf](https://kubernetes.slack.com/archives/C03B6BJAUJ3) |

src/internal/template/template.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -160,11 +160,13 @@ func ApplyToFile(ctx context.Context, src, dst string, objs Objects) error {
160160

161161
// Source: https://github.com/helm/helm/blob/main/pkg/engine/funcs.go#L45
162162
// SPDX-License-Identifier: Apache 2.0
163-
// Minor edits: revised var names
163+
// Minor edits: revised var names, getHostByName removal
164164
func funcMap() ttmpl.FuncMap {
165165
m := sprig.TxtFuncMap()
166166
delete(m, "env")
167167
delete(m, "expandenv")
168+
// live DNS lookup could leak templating context
169+
delete(m, "getHostByName")
168170
extras := ttmpl.FuncMap{
169171
"toToml": toTOML,
170172
"fromToml": fromTOML,

src/internal/template/template_test.go

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -422,6 +422,41 @@ func TestApply(t *testing.T) {
422422
}
423423
}
424424

425+
// TestFuncMap_UnsafeSprigFunctionsRemoved pins the set of sprig functions
426+
// deliberately stripped from the template engine. Re-adding any of these
427+
// reintroduces a host-side-effect or exfiltration channel that Zarf packages
428+
// (including untrusted ones) must not reach.
429+
func TestFuncMap_UnsafeSprigFunctionsRemoved(t *testing.T) {
430+
m := funcMap()
431+
for _, name := range []string{"env", "expandenv", "getHostByName"} {
432+
_, present := m[name]
433+
require.False(t, present, "sprig function %q must not be registered in funcMap", name)
434+
}
435+
}
436+
437+
// TestApply_UnsafeSprigFunctionsRejected verifies that templates invoking the
438+
// stripped functions fail at parse time rather than silently skipping or
439+
// executing. This is the end-to-end regression guard for the funcMap stripping.
440+
func TestApply_UnsafeSprigFunctionsRejected(t *testing.T) {
441+
tests := []struct {
442+
name string
443+
tmpl string
444+
}{
445+
{name: "env", tmpl: `{{ env "PATH" }}`},
446+
{name: "expandenv", tmpl: `{{ expandenv "$PATH" }}`},
447+
{name: "getHostByName", tmpl: `{{ getHostByName "localhost" }}`},
448+
}
449+
for _, tt := range tests {
450+
t.Run(tt.name, func(t *testing.T) {
451+
ctx := context.Background()
452+
_, err := Apply(ctx, tt.tmpl, Objects{})
453+
require.Error(t, err)
454+
require.Contains(t, err.Error(), tt.name)
455+
require.Contains(t, err.Error(), "not defined")
456+
})
457+
}
458+
}
459+
425460
func TestApplyToFile(t *testing.T) {
426461
tests := []struct {
427462
name string

0 commit comments

Comments
 (0)