Code Injection Vulnerability #258
Description
Environment
- Python version: 3.9
- Nautobot version: 2.x
- nautobot-design-builder version: all
Expected Behavior
User input should not permit code injection
Observed Behavior
User inputs tied to context variables can inject code using jinja2 templates.
Steps to Reproduce
The _TemplateNode class is used to wrap strings in the design builder context and then evaluate them in a jinja2 environment. That environment provides access to the context itself. If jinja tags are injected in the user input and the context provides access to things like Nautobot objects, then those objects can be used to manipulate Nautobot itself.
For instance, if a script variable name exists on the job, and the context for the design includes a method mysite that returns a nautobot Location, then the following value for name could delete all of the devices in the site:
{% set nothing = mysite().devices.all().delete() %}This is the actual name string