Merge pull request #5359 from StackStorm/use_sandbox_jinja

Use Jinja sandboxed environment

Author: amanda11

CHANGELOG.rst

@@ -37,6 +37,10 @@ Changed
 
   Contributed by @khushboobhatia01
 
+* Move to using Jinja sandboxed environment #5359
+
+  Contributed by Amanda McGuinness (@amanda11 Ammeon Solutions)
+
 Fixed
 ~~~~~
 

contrib/runners/orquesta_runner/in-requirements.txt

@@ -1 +1 @@
-git+https://github.com/StackStorm/orquesta.git@v1.4.0#egg=orquesta
+git+https://github.com/StackStorm/orquesta.git@219f00db5192321af9d29b4c51ec748846ab90c6#egg=orquesta

contrib/runners/orquesta_runner/requirements.txt

@@ -5,4 +5,4 @@
 # If you want to update depdencies for a single component, modify the
 # in-requirements.txt for that component and then run 'make requirements' to
 # update the component requirements.txt
-git+https://github.com/StackStorm/orquesta.git@v1.4.0#egg=orquesta
+git+https://github.com/StackStorm/orquesta.git@219f00db5192321af9d29b4c51ec748846ab90c6#egg=orquesta

fixed-requirements.txt

@@ -22,7 +22,8 @@ jsonschema==2.6.0
 kombu==5.0.2
 lockfile==0.12.2
 mongoengine==0.23.0
-networkx==1.11
+#Update networkx to match orquesta
+networkx>=2.5.1,<3.0
 # NOTE: Recent version substantially affect the performance and add big import time overhead
 # See https://github.com/StackStorm/st2/issues/4160#issuecomment-394386433 for details
 oslo.config>=1.12.1,<1.13

requirements.txt

@@ -16,7 +16,7 @@ dnspython>=1.16.0,<2.0.0
 eventlet==0.30.2
 flex==6.14.1
 git+https://github.com/StackStorm/logshipper.git@stackstorm_patched#egg=logshipper
-git+https://github.com/StackStorm/orquesta.git@v1.4.0#egg=orquesta
+git+https://github.com/StackStorm/orquesta.git@219f00db5192321af9d29b4c51ec748846ab90c6#egg=orquesta
 git+https://github.com/StackStorm/st2-auth-backend-flat-file.git@master#egg=st2-auth-backend-flat-file
 git+https://github.com/StackStorm/st2-auth-ldap.git@master#egg=st2-auth-ldap
 git+https://github.com/StackStorm/st2-rbac-backend.git@master#egg=st2-rbac-backend
@@ -32,7 +32,7 @@ kombu==5.0.2
 lockfile==0.12.2
 mock==4.0.3
 mongoengine==0.23.0
-networkx==1.11
+networkx>=2.5.1,<3.0
 nose
 nose-parallel==0.4.0
 nose-timer==1.0.1

st2common/in-requirements.txt

@@ -10,7 +10,7 @@ jsonschema
 kombu
 mongoengine
 networkx
-git+https://github.com/StackStorm/orquesta.git@v1.4.0#egg=orquesta
+git+https://github.com/StackStorm/orquesta.git@219f00db5192321af9d29b4c51ec748846ab90c6#egg=orquesta
 git+https://github.com/StackStorm/st2-rbac-backend.git@master#egg=st2-rbac-backend
 oslo.config
 paramiko

st2common/requirements.txt

@@ -12,7 +12,7 @@ cryptography==3.4.7
 dnspython>=1.16.0,<2.0.0
 eventlet==0.30.2
 flex==6.14.1
-git+https://github.com/StackStorm/orquesta.git@v1.4.0#egg=orquesta
+git+https://github.com/StackStorm/orquesta.git@219f00db5192321af9d29b4c51ec748846ab90c6#egg=orquesta
 git+https://github.com/StackStorm/st2-rbac-backend.git@master#egg=st2-rbac-backend
 gitdb==4.0.2
 gitpython==3.1.15
@@ -23,7 +23,7 @@ jsonschema==2.6.0
 kombu==5.0.2
 lockfile==0.12.2
 mongoengine==0.23.0
-networkx==1.11
+networkx>=2.5.1,<3.0
 orjson==3.5.2
 oslo.config>=1.12.1,<1.13
 paramiko==2.7.2

st2common/st2common/util/jinja.py

@@ -88,9 +88,10 @@ def get_jinja_environment(allow_undefined=False, trim_blocks=True, lstrip_blocks
     # Late import to avoid very expensive in-direct import (~1 second) when this function
     # is not called / used
     import jinja2
+    import jinja2.sandbox
 
     undefined = jinja2.Undefined if allow_undefined else jinja2.StrictUndefined
-    env = jinja2.Environment(  # nosec
+    env = jinja2.sandbox.SandboxedEnvironment(  # nosec
         undefined=undefined, trim_blocks=trim_blocks, lstrip_blocks=lstrip_blocks
     )
     env.filters.update(get_filters())

st2common/st2common/util/param.py

@@ -156,8 +156,8 @@ def _process_defaults(G, schemas):
     """
     for schema in schemas:
         for name, value in six.iteritems(schema):
-            absent = name not in G.node
-            is_none = G.node.get(name, {}).get("value") is None
+            absent = name not in G.nodes
+            is_none = G.nodes.get(name, {}).get("value") is None
             immutable = value.get("immutable", False)
             if absent or is_none or immutable:
                 _process(G, name, value.get("default"))
@@ -167,8 +167,8 @@ def _validate(G):
     """
     Validates dependency graph to ensure it has no missing or cyclic dependencies
     """
-    for name in G.nodes():
-        if "value" not in G.node[name] and "template" not in G.node[name]:
+    for name in G.nodes:
+        if "value" not in G.nodes[name] and "template" not in G.nodes[name]:
             msg = 'Dependency unsatisfied in variable "%s"' % name
             raise ParamException(msg)
 
@@ -232,7 +232,7 @@ def _resolve_dependencies(G):
     """
     context = {}
     for name in nx.topological_sort(G):
-        node = G.node[name]
+        node = G.nodes[name]
         try:
             context[name] = _render(node, context)
 

tools/st2-analyze-links.py

@@ -152,11 +152,11 @@ def generate_graph(self, rule_links, out_file):
             print(rule_link._source_action_ref)
             if rule_link._source_action_ref not in nodes:
                 nodes.add(rule_link._source_action_ref)
-                dot.node(rule_link._source_action_ref, rule_link._source_action_ref)
+                dot.add_node(rule_link._source_action_ref)
             if rule_link._dest_action_ref not in nodes:
                 nodes.add(rule_link._dest_action_ref)
-                dot.node(rule_link._dest_action_ref, rule_link._dest_action_ref)
-            dot.edge(
+                dot.add_node(rule_link._dest_action_ref)
+            dot.add_edge(
                 rule_link._source_action_ref,
                 rule_link._dest_action_ref,
                 constraint="true",