New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency Jinja2 to v3 [SECURITY] #127

Open

renovate wants to merge 1 commit into master from renovate/pypi-Jinja2-vulnerability

renovate bot commented May 6, 2024

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
Jinja2 (source, changelog)	`==2.10.1` -> `==3.1.4`

GitHub Vulnerability Alerts

CVE-2024-34064

The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, >, or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.

Accepting keys as user input is now explicitly considered an unintended use case of the xmlattr filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting values as user input continues to be safe.

Release Notes

pallets/jinja (Jinja2)

`v3.1.4`

Released 2024-05-05

The xmlattr filter does not allow keys with / solidus, >
greater-than sign, or = equals sign, in addition to disallowing spaces.
Regardless of any validation done by Jinja, user input should never be used
as keys to this filter, or must be separately validated first.
:ghsa:h75v-3vvj-5mfj

`v3.1.3`

Released 2024-01-10

Fix compiler error when checking if required blocks in parent templates are
empty. :pr:1858
xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
Make error messages stemming from invalid nesting of {% trans %} blocks
more helpful. :pr:1918

`v3.1.2`

Released 2022-04-28

Add parameters to Environment.overlay to match __init__.
:issue:1645
Handle race condition in FileSystemBytecodeCache. :issue:1654

`v3.1.1`

Released 2022-03-25

The template filename on Windows uses the primary path separator.
:issue:1637

`v3.1.0`

Released 2022-03-24

Drop support for Python 3.6. :pr:1534
Remove previously deprecated code. :pr:1544
- WithExtension and AutoEscapeExtension are built-in now.
- contextfilter and contextfunction are replaced by
  pass_context. evalcontextfilter and
  evalcontextfunction are replaced by pass_eval_context.
  environmentfilter and environmentfunction are replaced
  by pass_environment.
- Markup and escape should be imported from MarkupSafe.
- Compiled templates from very old Jinja versions may need to be
  recompiled.
- Legacy resolve mode for Context subclasses is no longer
  supported. Override resolve_or_missing instead of
  resolve.
- unicode_urlencode is renamed to url_quote.
Add support for native types in macros. :issue:1510
The {% trans %} tag can use pgettext and npgettext by
passing a context string as the first token in the tag, like
{% trans "title" %}. :issue:1430
Update valid identifier characters from Python 3.6 to 3.7.
:pr:1571
Filters and tests decorated with @async_variant are pickleable.
:pr:1612
Add items filter. :issue:1561
Subscriptions ([0], etc.) can be used after filters, tests, and
calls when the environment is in async mode. :issue:1573
The groupby filter is case-insensitive by default, matching
other comparison filters. Added the case_sensitive parameter to
control this. :issue:1463
Windows drive-relative path segments in template names will not
result in FileSystemLoader and PackageLoader loading from
drive-relative paths. :pr:1621

`v3.0.3`

Released 2021-11-09

Fix traceback rewriting internals for Python 3.10 and 3.11.
:issue:1535
Fix how the native environment treats leading and trailing spaces
when parsing values on Python 3.10. :pr:1537
Improve async performance by avoiding checks for common types.
:issue:1514
Revert change to hash(Node) behavior. Nodes are hashed by id
again :issue:1521
PackageLoader works when the package is a single module file.
:issue:1512

`v3.0.2`

Released 2021-10-04

Fix a loop scoping bug that caused assignments in nested loops
to still be referenced outside of it. :issue:1427
Make compile_templates deterministic for filter and import
names. :issue:1452, 1453
Revert an unintended change that caused Undefined to act like
StrictUndefined for the in operator. :issue:1448
Imported macros have access to the current template globals in async
environments. :issue:1494
PackageLoader will not include a current directory (.) path
segment. This allows loading templates from the root of a zip
import. :issue:1467

`v3.0.1`

Released 2021-05-18

Update MarkupSafe dependency to >= 2.0. :pr:1418
Mark top-level names as exported so type checking understands
imports in user projects. :issue:1426
Fix some types that weren't available in Python 3.6.0. :issue:1433
The deprecation warning for unneeded autoescape and with_
extensions shows more relevant context. :issue:1429
Fixed calling deprecated jinja2.Markup without an argument.
Use markupsafe.Markup instead. :issue:1438
Calling sync render for an async template uses asyncio.run
on Python >= 3.7. This fixes a deprecation that Python 3.10
introduces. :issue:1443

`v3.0.0`

Released 2021-05-11

Drop support for Python 2.7 and 3.5.
Bump MarkupSafe dependency to >=1.1.
Bump Babel optional dependency to >=2.1.
Remove code that was marked deprecated.
Add type hinting. :pr:1412
Use :pep:451 API to load templates with
:class:~loaders.PackageLoader. :issue:1168
Fix a bug that caused imported macros to not have access to the
current template's globals. :issue:688
Add ability to ignore trim_blocks using +%}. :issue:1036
Fix a bug that caused custom async-only filters to fail with
constant input. :issue:1279
Fix UndefinedError incorrectly being thrown on an undefined variable
instead of Undefined being returned on
NativeEnvironment on Python 3.10. :issue:1335
Blocks can be marked as required. They must be overridden at
some point, but not necessarily by the direct child. :issue:1147
Deprecate the autoescape and with extensions, they are
built-in to the compiler. :issue:1203
The urlize filter recognizes mailto: links and takes
extra_schemes (or env.policies["urlize.extra_schemes"]) to
recognize other schemes. It tries to balance parentheses within a
URL instead of ignoring trailing characters. The parsing in general
has been updated to be more efficient and match more cases. URLs
without a scheme are linked as https:// instead of http://.
:issue:522, 827, 1172, :pr:1195
Filters that get attributes, such as map and groupby, can
use a false or empty value as a default. :issue:1331
Fix a bug that prevented variables set in blocks or loops from
being accessed in custom context functions. :issue:768
Fix a bug that caused scoped blocks from accessing special loop
variables. :issue:1088
Update the template globals when calling
Environment.get_template(globals=...) even if the template was
already loaded. :issue:295
Do not raise an error for undefined filters in unexecuted
if-statements and conditional expressions. :issue:842
Add is filter and is test tests to test if a name is a
registered filter or test. This allows checking if a filter is
available in a template before using it. Test functions can be
decorated with @pass_environment, @pass_eval_context,
or @pass_context. :issue:842, :pr:1248
Support pgettext and npgettext (message contexts) in i18n
extension. :issue:441
The |indent filter's width argument can be a string to
indent by. :pr:1167
The parser understands hex, octal, and binary integer literals.
:issue:1170
Undefined.__contains__ (in) raises an UndefinedError
instead of a TypeError. :issue:1198
Undefined is iterable in an async environment. :issue:1294
NativeEnvironment supports async mode. :issue:1362
Template rendering only treats \n, \r\n and \r as line
breaks. Other characters are left unchanged. :issue:769, 952, 1313
|groupby filter takes an optional default argument.
:issue:1359
The function and filter decorators have been renamed and unified.
The old names are deprecated. :issue:1381
- pass_context replaces contextfunction and
  contextfilter.
- pass_eval_context replaces evalcontextfunction and
  evalcontextfilter
- pass_environment replaces environmentfunction and
  environmentfilter.
Async support no longer requires Jinja to patch itself. It must
still be enabled with Environment(enable_async=True).
:issue:1390
Overriding Context.resolve is deprecated, override
resolve_or_missing instead. :issue:1380

`v2.11.3`

Released 2021-01-31

Improve the speed of the urlize filter by reducing regex
backtracking. Email matching requires a word character at the start
of the domain part, and only word characters in the TLD. :pr:1343

`v2.11.2`

Released 2020-04-13

Fix a bug that caused callable objects with __getattr__, like
:class:~unittest.mock.Mock to be treated as a
:func:contextfunction. :issue:1145
Update wordcount filter to trigger :class:Undefined methods
by wrapping the input in :func:soft_str. :pr:1160
Fix a hang when displaying tracebacks on Python 32-bit.
:issue:1162
Showing an undefined error for an object that raises
AttributeError on access doesn't cause a recursion error.
:issue:1177
Revert changes to :class:~loaders.PackageLoader from 2.10 which
removed the dependency on setuptools and pkg_resources, and added
limited support for namespace packages. The changes caused issues
when using Pytest. Due to the difficulty in supporting Python 2 and
:pep:451 simultaneously, the changes are reverted until 3.0.
:pr:1182
Fix line numbers in error messages when newlines are stripped.
:pr:1178
The special namespace() assignment object in templates works in
async environments. :issue:1180
Fix whitespace being removed before tags in the middle of lines when
lstrip_blocks is enabled. :issue:1138
:class:~nativetypes.NativeEnvironment doesn't evaluate
intermediate strings during rendering. This prevents early
evaluation which could change the value of an expression.
:issue:1186

`v2.11.1`

Released 2020-01-30

Fix a bug that prevented looking up a key after an attribute
({{ data.items[1:] }}) in an async template. :issue:1141

`v2.11.0`

Released 2020-01-27

Drop support for Python 2.6, 3.3, and 3.4. This will be the last
version to support Python 2.7 and 3.5.
Added a new ChainableUndefined class to support getitem and
getattr on an undefined object. :issue:977
Allow {%+ syntax (with NOP behavior) when lstrip_blocks is
disabled. :issue:748
Added a default parameter for the map filter. :issue:557
Exclude environment globals from
:func:meta.find_undeclared_variables. :issue:931
Float literals can be written with scientific notation, like
2.56e-3. :issue:912, :pr:922
Int and float literals can be written with the '_' separator for
legibility, like 12_345. :pr:923
Fix a bug causing deadlocks in LRUCache.setdefault. :pr:1000
The trim filter takes an optional string of characters to trim.
:pr:828
A new jinja2.ext.debug extension adds a {% debug %} tag to
quickly dump the current context and available filters and tests.
:issue:174, :pr:798, 983
Lexing templates with large amounts of whitespace is much faster.
:issue:857, :pr:858
Parentheses around comparisons are preserved, so
{{ 2 * (3 < 5) }} outputs "2" instead of "False".
:issue:755, :pr:938
Add new boolean, false, true, integer and float
tests. :pr:824
The environment's finalize function is only applied to the
output of expressions (constant or not), not static template data.
:issue:63
When providing multiple paths to FileSystemLoader, a template
can have the same name as a directory. :issue:821
Always return :class:Undefined when omitting the else clause
in a {{ 'foo' if bar }} expression, regardless of the
environment's undefined class. Omitting the else clause is a
valid shortcut and should not raise an error when using
:class:StrictUndefined. :issue:710, :pr:1079
Fix behavior of loop control variables such as length and
revindex0 when looping over a generator. :issue:459, 751, 794,
:pr:993
Async support is only loaded the first time an environment enables
it, in order to avoid a slow initial import. :issue:765
In async environments, the |map filter will await the filter
call if needed. :pr:913
In for loops that access loop attributes, the iterator is not
advanced ahead of the current iteration unless length,
revindex, nextitem, or last are accessed. This makes it
less likely to break groupby results. :issue:555, :pr:1101
In async environments, the loop attributes length and
revindex work for async iterators. :pr:1101
In async environments, values from attribute/property access will
be awaited if needed. :pr:1101
:class:~loader.PackageLoader doesn't depend on setuptools or
pkg_resources. :issue:970
PackageLoader has limited support for :pep:420 namespace
packages. :issue:1097
Support :class:os.PathLike objects in
:class:~loader.FileSystemLoader and :class:~loader.ModuleLoader.
:issue:870
:class:~nativetypes.NativeTemplate correctly handles quotes
between expressions. "'{{ a }}', '{{ b }}'" renders as the tuple
('1', '2') rather than the string '1, 2'. :issue:1020
Creating a :class:~nativetypes.NativeTemplate directly creates a
:class:~nativetypes.NativeEnvironment instead of a default
:class:Environment. :issue:1091
After calling LRUCache.copy(), the copy's queue methods point to
the correct queue. :issue:843
Compiling templates always writes UTF-8 instead of defaulting to the
system encoding. :issue:889
|wordwrap filter treats existing newlines as separate paragraphs
to be wrapped individually, rather than creating short intermediate
lines. :issue:175
Add break_on_hyphens parameter to |wordwrap filter.
:issue:550
Cython compiled functions decorated as context functions will be
passed the context. :pr:1108
When chained comparisons of constants are evaluated at compile time,
the result follows Python's behavior of returning False if any
comparison returns False, rather than only the last one.
:issue:1102
Tracebacks for exceptions in templates show the correct line numbers
and source for Python >= 3.7. :issue:1104
Tracebacks for template syntax errors in Python 3 no longer show
internal compiler frames. :issue:763
Add a DerivedContextReference node that can be used by
extensions to get the current context and local variables such as
loop. :issue:860
Constant folding during compilation is applied to some node types
that were previously overlooked. :issue:733
TemplateSyntaxError.source is not empty when raised from an
included template. :issue:457
Passing an Undefined value to get_template (such as through
extends, import, or include), raises an
UndefinedError consistently. select_template will show the
undefined message in the list of attempts rather than the empty
string. :issue:1037
TemplateSyntaxError can be pickled. :pr:1117

`v2.10.3`

Released 2019-10-04

Fix a typo in Babel entry point in setup.py that was preventing
installation.

`v2.10.2`

Released 2019-10-04

Fix Python 3.7 deprecation warnings.
Using range in the sandboxed environment uses xrange on
Python 2 to avoid memory use. :issue:933
Use Python 3.7's better traceback support to avoid a core dump when
using debug builds of Python 3.7. :issue:1050

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          Update dependency Jinja2 to v3 [SECURITY]

2473ad8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment