Skip to content

fix: prevent SSTI by switching to SandboxedEnvironment#74

Merged
masci merged 5 commits into
mainfrom
docs/template-security-warning
Apr 27, 2026
Merged

fix: prevent SSTI by switching to SandboxedEnvironment#74
masci merged 5 commits into
mainfrom
docs/template-security-warning

Conversation

@masci

@masci masci commented Apr 27, 2026

Copy link
Copy Markdown
Owner

Summary

  • Switch jinja2.Environment to jinja2.sandbox.SandboxedEnvironment in src/banks/env.py — blocks dunder attribute traversal in templates, preventing SSTI/RCE payloads from reaching __builtins__
  • Add regression test that verifies the canonical SSTI payload raises an exception
  • Document that prompt templates are trusted code and user-supplied strings must never be passed as template text

Test plan

  • All 122 existing tests pass unchanged with SandboxedEnvironment
  • test_ssti_blocked confirms the exploit payload raises SecurityError
  • Docs build without errors (hatch run docs build)

🤖 Generated with Claude Code

masci and others added 2 commits April 27, 2026 13:19
@masci @claude
docs: warn that prompt templates are trusted code
4c14c9c 
Templates are rendered in an unsandboxed Jinja2 environment, so passing
untrusted user input as template text allows arbitrary code execution.
Document the safe pattern (variables) vs the unsafe one (raw user strings).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@masci @claude
fix: use SandboxedEnvironment to prevent SSTI
bcb9d5a 
Switch from jinja2.Environment to jinja2.sandbox.SandboxedEnvironment.
This blocks access to dunder attributes in templates, preventing SSTI
payloads from reaching __builtins__ and executing arbitrary code.

All existing tests pass unchanged. Add a regression test that verifies
the canonical SSTI payload raises an exception.

Also document that templates are trusted code and that user-supplied
strings must never be passed as template text.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 27, 2026 11:29
Copilot AI reviewed Apr 27, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to mitigate Server-Side Template Injection (SSTI) risks in Banks prompt rendering by moving the global Jinja2 environment to Jinja2’s sandbox, adding a regression test for a canonical SSTI payload, and documenting safe/unsafe template usage patterns.

Changes:

  • Switch global Jinja environment from jinja2.Environment to jinja2.sandbox.SandboxedEnvironment.
  • Add a regression test intended to ensure a known SSTI/RCE-style payload is blocked.
  • Add/extend documentation warning against rendering user-supplied template text.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
src/banks/env.py Uses SandboxedEnvironment for the global Jinja environment to reduce SSTI risk.
tests/test_prompt.py Adds a regression test for an SSTI payload being blocked at render time.
docs/prompt.md Adds a warning about treating templates as trusted code, but currently describes the environment incorrectly.
docs/index.md Adds a “Security” section explaining safe vs unsafe patterns, but wording should reflect sandboxing.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tests/test_prompt.py Outdated
Comment thread docs/prompt.md Outdated
Comment thread docs/index.md Outdated
@masci masci marked this pull request as draft April 27, 2026 11:32
masci and others added 2 commits April 27, 2026 13:36
@masci
Apply suggestions from code review
1dd5399 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@masci
fix: tighten SSTI test to assert SecurityError and update docs to ref…
45a9eff 
…lect SandboxedEnvironment

Agent-Logs-Url: https://github.com/masci/banks/sessions/de6273d5-80bf-468c-8853-feeb273a7294

Co-authored-by: masci <7241+masci@users.noreply.github.com>
@masci @claude
chore: remove e2e tests and Python 3.9 from CI
65e5915 
e2e tests require an OpenAI API key that is no longer valid.
Python 3.9 is EOL (Oct 2025) and newer virtualenv drops support for it.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coveralls

coveralls commented Apr 27, 2026

Copy link
Copy Markdown

Coverage Status

Coverage is 94.769%docs/template-security-warning into main. No base build found for main.

@masci masci marked this pull request as ready for review April 27, 2026 12:13
@masci masci merged commit dbf7cef into main Apr 27, 2026
16 checks passed
@masci masci deleted the docs/template-security-warning branch April 27, 2026 12:13
@mend-bolt-for-github mend-bolt-for-github Bot mentioned this pull request May 11, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

Copilot code review Copilot Copilot left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@masci @coveralls