Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable loading jinja2 PromptTemplate from file. #10252

Merged
merged 3 commits into from
Oct 10, 2023
Merged

Disable loading jinja2 PromptTemplate from file. #10252

merged 3 commits into from
Oct 10, 2023

Conversation

obi1kenobi
Copy link
Collaborator

@obi1kenobi obi1kenobi commented Sep 5, 2023
edited by eyurtsev
Loading

jinja2 templates are not sandboxed and are at risk for arbitrary code execution. To mitigate this risk:

  • We no longer support loading jinja2-formatted prompt template files.
  • PromptTemplate with jinja2 may still be constructed manually, but the class carries a security warning reminding the user to not pass untrusted input into it.

Resolves #4394.

Resolves: CVE-2023-36281

@obi1kenobi
Disable loading jinja2 PromptTemplate from file.
b574d72 
jinja2 templates are not sandboxed and are at risk for arbitrary code
execution. To mitigate this risk:
- We no longer support loading jinja2-formatted prompt template files.
- `PromptTemplate` with jinja2 may still be constructed manually, but
  the class carries a security warning reminding the user to not pass
  untrusted input into it.

Resolves #4394.
@vercel
Copy link

vercel bot commented Sep 5, 2023
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment
Name Status Preview Comments Updated (UTC)
langchain ⬜️ Ignored (Inspect) Visit Preview Sep 5, 2023 9:10pm

@dosubot dosubot bot added the 🤖:bug Related to a bug, vulnerability, unexpected error with an existing feature label Sep 5, 2023
@obi1kenobi obi1kenobi merged commit 22abeb9 into master Oct 10, 2023
@obi1kenobi obi1kenobi deleted the pg/jinja2-injection branch October 10, 2023 15:15
@eyurtsev eyurtsev mentioned this pull request Oct 10, 2023
Merged
@tabdunabi tabdunabi mentioned this pull request Oct 10, 2023
Closed
14 tasks
@everyun
Copy link

everyun commented Oct 24, 2023

Why isn't the sandbox enabled by default, but instead there is a warning about risks in jinja2?

@obi1kenobi
Copy link
Collaborator Author

By the way that jinja2 is designed, it is not possible to create a sandbox from inside a running Python process. It is not something the langchain library can provide or enable. The sandbox has to be set up externally, around the entire app that the end user is running. For example, this could be done via virtualization.

Of course, it's best to completely avoid jinja2 if possible, because of the difficulty in setting up such a sandbox properly.

@everyun
Copy link

everyun commented Oct 26, 2023

is sandbox.SandboxedEnvironment().from_string(f).render not safe enough? why we need an external sandbox?

@obi1kenobi
Copy link
Collaborator Author

It's very nice and we're looking into adopting it, but it unfortunately isn't safe enough to justify not recommending an external sandbox. One of the concerns is that the jinja sandbox security model is "assume safe unless marked" instead of "assume unsafe unless marked." It relies on functions being explicitly marked as unsafe, which is very difficult to do safely in a large fast-moving project like this one. All it would take is one slip-up and attackers would have a way in.

Here I'm explicitly not saying that jinja made a poor design decision. That design is very reasonable from an adoption and ease of use perspective — the safer alternative would probably be quite onerous to use. All I'm saying is that its security model isn't quite a match for our needs and concerns :)

hoanq1811 pushed a commit to hoanq1811/langchain that referenced this pull request Feb 2, 2024
@obi1kenobi
Disable loading jinja2 PromptTemplate from file. (langchain-ai#10252)
1cc216e 
jinja2 templates are not sandboxed and are at risk for arbitrary code
execution. To mitigate this risk:
- We no longer support loading jinja2-formatted prompt template files.
- `PromptTemplate` with jinja2 may still be constructed manually, but
the class carries a security warning reminding the user to not pass
untrusted input into it.

Resolves langchain-ai#4394.
@efriis efriis mentioned this pull request May 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hwchase17 hwchase17 Awaiting requested review from hwchase17

@eyurtsev eyurtsev Awaiting requested review from eyurtsev

@baskaryan baskaryan Awaiting requested review from baskaryan

Assignees
No one assigned
Labels
🤖:bug Related to a bug, vulnerability, unexpected error with an existing feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Template injection to arbitrary code execution
2 participants
@obi1kenobi @everyun