渲染用户创建的Django模板是否安全？ [英] Is it safe to render user-created Django templates?

问题描述

让用户使用一组预定义的变量制作自己的Django模板是否安全，然后在服务器上呈现此模板？我将只传递非常有限的一组参数到 render ，所有这些都是字符串。模板将是这样的：

 嘿，我的名字是{{name}}。 
  

所以问题是，有没有任何django模板标签可以被滥用来获取用户的信息不应该得到？我最担心的是 {％url％} 标签。

PS

在填写完毕后，我注意到此问题标题，但是，我的问题略有不同。我可能根本不允许使用HTML / javascript，使用Textile / Markdown，或者找到一种将HTML限制到一个非常基本的标签集的方式。

解决方案

有三个主要风险：

1. 用户修改数据。例如，在值查找期间，渲染 {{request.user.kill}} 将触发 kill（）调用。为了防止这种情况，你应该在你的模型代码中设置 kill.alters_data = True 。所有内置的修改数据的模型方法都已经被标记，所以这个风险只与你自己的方法有关，或者是由不太好写的第三方应用程序提供的方法。



2. p>用户直接访问他们不应该看到的数据。当使用 RequestContext （这是大部分时间）时，在模板渲染上下文中添加了许多变量。添加用户定义的模板，并且您变得非常危险，因为用户可以查看任何上下文处理器添加的任何内容。




3. 访问数据的用户不应该看到通过关系。当您将模型实例传递给模板时，其关系可能会比您预期的更为困难： {{current_user.corporate_account.owner.ssn}} Oops ...
   一个很好的预防措施将是仔细检查你的模型关系，以确保你不会暴露一些敏感的东西。

总的来说，只要你知道上面的风险，并将用户提供的字符串与常规模板分开，我就会说这是安全的。并确保您隐藏地禁止 {％debug％}，{％include％}。 {％ssi％} 模板标签，因为它们可以放弃相当敏感的信息。也许你可以安全地玩，只允许变量和过滤器，并禁止控制标签。

Is it safe to let users make their own Django templates with a set of pre-defined variables, and then render this template on the server? I would only pass a very limited set of parameters to render, all of which are strings. Templates would be something like:

hey, my name is {{name}}.

So, the question is, are there any django template tags that can be abused to get information that users are not supposed to get? I'm most worried about the {% url %} tag.

P.S.

I noticed this question after filling out the title, however, my question is slightly different. I will probably allow no HTML/javascript at all, use Textile/Markdown, or find a way to restrict HTML to a very basic set of tags.

解决方案

There're three main risks:

1. Users modifying the data. For example, rendering {{ request.user.kill }} will trigger kill() call during value lookup. To prevent this, you should set kill.alters_data = True in your model code. All built-in model methods that modify data are already marked, so the risk is only associated with your own methods or ones provided by poorly-written 3rd party apps.

2. Users directly accessing data they should not see. When RequestContext is used (which is most of the time), there're many variables added to template rendering context. Add user-defined templates and you're getting quite dangerous mix, because user can view anything added by any context processor.

3. Users accessing data they should not see through relations. When you pass model instance to template, its relations could be travesred futher than you could expect: {{ current_user.corporate_account.owner.ssn }} Oops... A good preventive measure would be carefully reviewing your model relations to make sure you're not exposing something sensitive.

Overall, I'd say it is safe as long as you are aware of risks above and render user-supplied strings separately from regular templates. And make sure you eplicitly forbid {% debug %}, {% include %}. {% ssi %} template tags, as they can give away quite sensitive information. Maybe you can play it safe and only allow variables and filters and forbid control tags altogether.

这篇关于渲染用户创建的Django模板是否安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！