search

gathering / gondul

Network management/monitoring system specialized for temporary events
http://tech.gathering.org
GNU General Public License v2.0
42 stars 10 forks source link

Templating: Code execution when posting data #203

Open slinderud opened 5 years ago

slinderud commented 5 years ago

Example: curl -XPOST "url" --data-binary "{{ ''.__class__.mro()[1].__subclasses__() }}"

Things to look at: Don't accept post towards template without authentication (we only need get requests) Limit to RO filesystem in servicefile Fix template user and don't run it as root