Update dependency Jinja2 to v3.1.5 [SECURITY] (#1158)

slack-oss-bot · web-flow · commit 0190ac25a99c · 2024-12-25T00:07:08.000-08:00
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [Jinja2](https://redirect.github.com/pallets/jinja) ([changelog](https://jinja.palletsprojects.com/changes/)) | patch | `==3.1.4` -> `==3.1.5` | ### GitHub Vulnerability Alerts #### [CVE-2024-56326](https://redirect.github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h) An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. #### [CVE-2024-56201](https://redirect.github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699) A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. --- ### Release Notes <details> <summary>pallets/jinja (Jinja2)</summary> ### [`v3.1.5`](https://redirect.github.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-315) [Compare Source](https://redirect.github.com/pallets/jinja/compare/3.1.4...3.1.5) Released 2024-12-21 - The sandboxed environment handles indirect calls to `str.format`, such as by passing a stored reference to a filter that calls its argument. :ghsa:`q2x7-8rv6-6q7h` - Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. :issue:`1792`, :ghsa:`gmj6-6f8f-6699` - Sandbox does not allow `clear` and `pop` on known mutable sequence types. :issue:`2032` - Calling sync `render` for an async template uses `asyncio.run`. :pr:`1952` - Avoid unclosed `auto_aiter` warnings. :pr:`1960` - Return an `aclose`-able `AsyncGenerator` from `Template.generate_async`. :pr:`1960` - Avoid leaving `root_render_func()` unclosed in `Template.generate_async`. :pr:`1960` - Avoid leaving async generators unclosed in blocks, includes and extends. :pr:`1960` - The runtime uses the correct `concat` function for the current environment when calling block references. :issue:`1701` - Make `|unique` async-aware, allowing it to be used after another async-aware filter. :issue:`1781` - `|int` filter handles `OverflowError` from scientific notation. :issue:`1921` - Make compiling deterministic for tuple unpacking in a `{% set ... %}` call. :issue:`2021` - Fix dunder protocol (`copy`/`pickle`/etc) interaction with `Undefined` objects. :issue:`2025` - Fix `copy`/`pickle` support for the internal `missing` object. :issue:`2027` - `Environment.overlay(enable_async)` is applied correctly. :pr:`2061` - The error message from `FileSystemLoader` includes the paths that were searched. :issue:`1661` - `PackageLoader` shows a clearer error message when the package does not contain the templates directory. :issue:`1705` - Improve annotations for methods returning copies. :pr:`1880` - `urlize` does not add `mailto:` to values like `@a@b`. :pr:`1870` - Tests decorated with `@pass_context`` can be used with the ``|select`` filter. :issue:`1624\` - Using `set` for multiple assignment (`a, b = 1, 2`) does not fail when the target is a namespace attribute. :issue:`1413` - Using `set` in all branches of `{% if %}{% elif %}{% else %}` blocks does not cause the variable to be considered initially undefined. :issue:`1253` </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate).
diff --git a/.github/workflows/mkdocs-requirements.txt b/.github/workflows/mkdocs-requirements.txt
@@ -1,6 +1,6 @@
 click==8.1.7
 future==1.0.0
-Jinja2==3.1.4
+Jinja2==3.1.5
 livereload==2.6.3
 lunr==0.7.0.post1
 Markdown==3.5.1
