Skip to content

Commit 1460b54

Browse files
hc-github-team-nomad-coretgross
hc-github-team-nomad-core
and
tgross
authored
Backport of docs: fix missing entry from template function_denylist into release/1.9.x (#26463)
Co-authored-by: Tim Gross <[email protected]>
1 parent b6b4b4b commit 1460b54

File tree

2 files changed

+12
-10
lines changed

2 files changed

+12
-10
lines changed

website/content/docs/configuration/client.mdx

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -487,10 +487,11 @@ refer to the [drivers documentation](/nomad/docs/drivers).
487487

488488
### `template` Parameters
489489

490-
- `function_denylist` `([]string: ["plugin", "writeToFile"])` - Specifies a
491-
list of template rendering functions that should be disallowed in job specs.
492-
By default the `plugin` and `writeToFile` functions are disallowed as they
493-
allow unrestricted root access to the host.
490+
- `function_denylist` `([]string: ["plugin", "executeTemplate",
491+
"writeToFile"])` - Specifies a list of template rendering functions that
492+
should be disallowed in job specs. By default the `plugin`, `executeTemplate`
493+
and `writeToFile` functions are disallowed as they allow unrestricted root
494+
access to the host or allow recursive execution.
494495

495496
- `disable_file_sandbox` `(bool: false)` - Allows templates access to arbitrary
496497
files on the client host via the `file` function. By default, templates can

website/content/docs/job-specification/template.mdx

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -789,12 +789,13 @@ access it by index. This secret was set using
789789
The `template` block has the following [client configuration
790790
options](/nomad/docs/configuration/client#options):
791791

792-
- `function_denylist` `([]string: ["plugin"])` - Specifies a list of template
793-
rendering functions that should be disallowed in job specs. By default, the
794-
`plugin` function is disallowed as it allows running arbitrary commands on the
795-
host as root (unless Nomad is configured to run as a non-root user),
796-
`executeTemplate` is disallowed to prevent accidental or malicious infinitely
797-
recursive execution, and `writeToFile` is disallowed.
792+
- `function_denylist` `([]string: ["plugin", "executeTemplate",
793+
"writeToFile"])` - Specifies a list of template rendering functions that
794+
should be disallowed in job specs. By default, the `plugin` function is
795+
disallowed as it allows running arbitrary commands on the host as root (unless
796+
Nomad is configured to run as a non-root user), `executeTemplate` is
797+
disallowed to prevent accidental or malicious infinitely recursive execution,
798+
and `writeToFile` is disallowed.
798799

799800
- `disable_file_sandbox` `(bool: false)` - Allows templates access to arbitrary
800801
files on the client host via the `file` function. By default, templates can

0 commit comments

Comments
 (0)