Skip to content

fix(mako): harden RCE sandbox checks for 3.24 LTS#269

Merged
dengyh merged 2 commits into
TencentBlueKing:bamboo_pipeline_3.24_ltsfrom
dengyh:fix/mako-rce-hardening-3.24-lts
Jun 10, 2026
Merged

fix(mako): harden RCE sandbox checks for 3.24 LTS#269
dengyh merged 2 commits into
TencentBlueKing:bamboo_pipeline_3.24_ltsfrom
dengyh:fix/mako-rce-hardening-3.24-lts

Conversation

@dengyh

@dengyh dengyh commented Jun 9, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • backport root-name whitelist protection for Mako reserved namespaces such as self/context/local
  • harden Mako filter, tag-level filter, format/format_map, and dangerous attr-chain checks
  • keep versions unchanged; release/package bump can be done after merge

Validation

  • uv run --no-project --python /Users/dengyh/.pyenv/versions/3.7.16/bin/python --with pytest==6.2.5 --with Mako==1.1.4 --with Werkzeug<2 --with pyparsing<3 --with prometheus-client==0.9.0 pytest -q tests/template/test_template.py
  • uv run --no-project --python /Users/dengyh/.pyenv/versions/3.7.16/bin/python python -m compileall -q bamboo_engine runtime/bamboo-pipeline/pipeline/core/data runtime/bamboo-pipeline/pipeline/utils/mako_utils runtime/bamboo-pipeline/pipeline/conf
  • runtime ConstantTemplate smoke script with minimal Django settings: blocks self.module, filter callable, and format lookup payloads

Notes

  • bk-sops master currently pins bamboo-pipeline==3.24.11. GitHub bamboo_pipeline_3.24_lts branch head is still at 3.24.10; this PR intentionally does not change package versions.

@dengyh dengyh merged commit a1d3a18 into TencentBlueKing:bamboo_pipeline_3.24_lts Jun 10, 2026
5 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant