-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

NEFARIOUSPLAN-CANONICAL-V1
{"body_md":"## The pipeline is markdown, then bleach, then Jinja2\n\n`cookbook/helper/template_helper.py`, at version 1.5.23, defines `render_instructions(step)`. It is called from `StepSerializer.get_instructions_markdown`, which the recipe API invokes every time a recipe step is fetched. The function mutates a single `instructions` variable through three stages:\n\n```python\ndef render_instructions(step):  # TODO deduplicate markdown cleanup code\n    instructions = step.instruction\n\n    tags = {\n        \"h1\", \"h2\", \"h3\", \"h4\", \"h5\", \"h6\",\n        \"b\", \"i\", \"strong\", \"em\", \"tt\",\n        \"p\", \"br\",\n        \"span\", \"div\", \"blockquote\", \"code\", \"pre\", \"hr\",\n        \"ul\", \"ol\", \"li\", \"dd\", \"dt\",\n        \"img\",\n        \"a\",\n        \"sub\", \"sup\",\n        'pre', 'table', 'td', 'tr', 'th', 'tbody', 'style', 'thead'\n    }\n    parsed_md = md.markdown(\n        instructions,\n        extensions=[\n            'markdown.extensions.fenced_code', TableExtension(),\n            UrlizeExtension(), MarkdownFormatExtension()\n        ]\n    )\n    markdown_attrs = {\n        \"*\": [\"id\", \"class\", 'width', 'height'],\n        \"img\": [\"src\", \"alt\", \"title\"],\n        \"a\": [\"href\", \"alt\", \"title\"],\n    }\n\n    instructions = bleach.clean(parsed_md, tags, markdown_attrs)\n\n    ingredients = []\n    for i in step.ingredients.all():\n        ingredients.append(IngredientObject(i))\n\n    def scale(number):\n        return f\"<scalable-number v-bind:number='{bleach.clean(str(number))}' v-bind:factor='ingredient_factor'></scalable-number>\"\n\n    try:\n        template = Template(instructions)\n        instructions = template.render(ingredients=ingredients, scale=scale)\n    except TemplateSyntaxError:\n        return _('Could not parse template code.') + ' Error: Template Syntax broken'\n    except UndefinedError:\n        return _('Could not parse template code.') + ' Error: Undefined Error'\n\n    return instructions\n```\n\nThe three stages, in order:\n\n1. `md.markdown()` converts `step.instruction` from markdown source to HTML.\n2. `bleach.clean()` strips HTML tags and attributes not in the allowlist.\n3. `jinja2.Template(instructions).render()` compiles the bleached HTML as a Jinja2 template and executes it. The render context supplies `ingredients` and `scale`.\n\nbleach's job is to ensure HTML that reaches the browser is free of `<script>`, `<iframe>`, and unsafe attributes. It does that job. It does not know what Jinja2 is, and it does not inspect text for Jinja2 expressions. The string `{{ something }}` is indistinguishable from any other text to bleach, because `{{ something }}` is not an HTML tag, attribute, or entity. bleach returns it unchanged. Jinja2 then sees it and evaluates it.\n\n`jinja2.Template` is the unsandboxed template class in Jinja2. Expressions in its templates can reach Python's class hierarchy through attribute navigation. An empty tuple's `__class__` is `tuple`. Its `__base__` is `object`. `object.__subclasses__()` is the list of every class loaded into the interpreter, and at a reproducible index sits `subprocess.Popen`. This is the standard Jinja2 SSTI primitive, and it is available by default in a `Template` that was constructed without an environment.\n\n`jinja2.SandboxedEnvironment` exists for the specific purpose of refusing those navigations. It has existed in every version of Jinja2 Tandoor ever shipped. The developer reached for `Template` instead.\n\n## The developer's mental model is preserved in a 2021 commit\n\nThe markdown → bleach → Jinja2 order was not always the order. In the first commit that added `render_instructions`, on January 5, 2021, `Template(step.instruction)` ran first on the raw field. That ordering was also unsafe, for a simpler reason. It was replaced eight days later.\n\nCommit `0eebd438` on January 13, 2021 restructured the function so that Jinja2 ran last, after bleach. Its commit title is the single word \"commit.\"\n\nA companion commit the same day, `1bb412e0`, has a more revealing title:\n\n> sanitize inputs of jinja so that output does not need to be\n\nThat commit wraps every attribute of `IngredientObject` in `bleach.clean()`:\n\n```diff\n-    self.amount = f\"<scalable-number v-bind:number='{ingredient.amount}' ...\"\n+    self.amount = f\"<scalable-number v-bind:number='{bleach.clean(str(ingredient.amount))}' ...\"\n-    self.unit = ingredient.unit\n+    self.unit = bleach.clean(str(ingredient.unit))\n-    self.food = ingredient.food\n-    self.note = ingredient.note\n+    self.food = bleach.clean(str(ingredient.food))\n+    self.note = bleach.clean(str(ingredient.note))\n```\n\n`IngredientObject` instances are what get passed into `template.render(ingredients=...)`. When a recipe step contains `{{ ingredients[0].food }}`, the rendered output is whatever `ingredient.food` happens to be. The developer's mental model, stated plainly in the commit message: clean the inputs to render(), and you will not need to clean the output.\n\nThat model protects against a user who types `<script>` into an ingredient name and has that script survive into rendered HTML. It does not protect against anything that lives in the template source. The template source is `step.instruction`. The template source is not one of render()'s kwargs. It is code, compiled by `Template()` and executed by `.render()`. The security question for `Template(step.instruction)` is not \"what do the variables look like,\" it is \"what does the template itself do.\"\n\nThe commit message names the wrong input. `ingredients` and `scale` are not the dangerous input. `step.instruction` is the dangerous input, because `step.instruction` is source code.\n\n## The exploit's work is bypassing markdown, not Jinja2\n\nThe researcher's PoC in [GHSA-r6rj-h75w-vj8v](https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-r6rj-h75w-vj8v):\n\n```\n{{()|attr('\\x5f\\x5fclass\\x5f\\x5f')|attr('\\x5f\\x5fbase\\x5f\\x5f')|attr('\\x5f\\x5fsubclasses\\x5f\\x5f')()|attr('\\x5f\\x5fgetitem\\x5f\\x5f')(418)('whoami',shell=True,stdout=-1)|attr('communicate')()|attr('\\x5f\\x5fgetitem\\x5f\\x5f')(0)|attr('decode')('utf-8')}}\n```\n\nThe Jinja2 chain here is a cheatsheet payload: navigate from an empty tuple to `object`, enumerate subclasses, pick the index where `subprocess.Popen` lives, invoke it with `shell=True`. It appears in every SSTI guide. The payload's novelty is not the Jinja2 part. It is `\\x5f\\x5fclass\\x5f\\x5f` instead of `__class__`.\n\nMarkdown treats consecutive underscores as emphasis. `_italic_` becomes `<em>italic</em>`. `__class__` becomes either wrapped in emphasis tags or has its underscores consumed, depending on the parser's state. A direct `{{().__class__...}}` payload does not arrive at Jinja2 in the form the attacker wrote it.\n\n`\\x5f\\x5fclass\\x5f\\x5f` does. `\\x5f` is five ASCII characters: backslash, x, five, f. `md.markdown()` has no interpretation for them and emits them unchanged into its HTML output. `bleach.clean()` has no interpretation for them and passes them through, because they are neither HTML syntax nor anything on its allowlist. `jinja2.Template` compiles the template, and when it evaluates `attr('\\x5f\\x5fclass\\x5f\\x5f')`, Jinja2 hands the argument to Python's string decoding. Python reads `\\xNN` as a hex byte. The argument to `attr()` becomes `__class__`.\n\nThe researcher did the hex-escape work because markdown exists in the pipeline. The Jinja2 chain itself required no novelty, because `Template` imposes no sandbox. bleach contributed nothing to the difficulty of the attack. It was not a factor.\n\nAuthentication is required, nominally. Tandoor's recipe write permission belongs to the `user` group; the GHSA publisher, the project maintainer, puts it this way: \"any user.\" Tandoor deployments include self-registration, shared spaces, and per-space invite flows. The Docker Compose shipped in-repository runs the Django process as root. CVSS assigned `PR:L`, `S:C`, and scored it 9.9.\n\n## The patch is two imports and one constructor\n\nCommit `e6087d51`, November 26, 2024:\n\n```diff\n import bleach\n import markdown as md\n from jinja2 import Template, TemplateSyntaxError, UndefinedError\n+from jinja2.exceptions import SecurityError\n+from jinja2.sandbox import SandboxedEnvironment\n from markdown.extensions.tables import TableExtension\n...\n     try:\n-        template = Template(instructions)\n-        instructions = template.render(ingredients=ingredients, scale=scale)\n+        env = SandboxedEnvironment()\n+        instructions = env.from_string(instructions).render(ingredients=ingredients, scale=scale)\n     except TemplateSyntaxError:\n         return _('Could not parse template code.') + ' Error: Template Syntax broken'\n     except UndefinedError:\n         return _('Could not parse template code.') + ' Error: Undefined Error'\n+    except SecurityError:\n+        return _('Could not parse template code.') + ' Error: Security Error'\n```\n\n`Template` and `SandboxedEnvironment` live in the same library. The Jinja2 documentation has said for more than a decade that `Template` is not safe with untrusted template sources, and that `SandboxedEnvironment` is the class to use when the source is untrusted. The fix is the swap. The function's shape, the markdown stage, the bleach stage, the render kwargs: all unchanged.\n\nThe vulnerable code shipped in Tandoor 0.13.0 on January 5, 2021. The markdown-to-bleach-to-Jinja2 order that the published PoC targets shipped in 0.14.0 on February 15, 2021. The fix shipped in 1.5.24 on November 26, 2024. The commit comment that became the function's header on the day the file was introduced, and is still there: `# TODO deduplicate markdown cleanup code`. The developer noticed the duplication. Nothing in any commit noted the template sandbox.\n\n## This is content-is-command at the template boundary\n\nEvery time a Tandoor recipe is read, `step.instruction` is compiled into a Jinja2 template and executed. The instruction field is a textarea in a form and a column in a database. Users type recipes into it. Its contents are authoritative for what the template engine compiles. An interpreter that reads user-supplied text and evaluates the expressions inside it is the [content-is-command](/patterns/content-is-command) pattern reduced to its minimum form. The channel that was supposed to hold passive data (a cooking instruction) is the same channel that holds executable code (a Jinja2 template). Tandoor is the small-surface cousin of the [Composer Perforce injection](/posts/composer-perforce-synccodebase-injection): there, package-registry metadata became a shell command on a developer's machine; here, markdown text from a recipe form becomes Python on the server.\n\nThe defense is not a better sanitizer. The defense is constraining the interpreter. `SandboxedEnvironment` refuses attribute access to Python's class hierarchy at evaluation time; `()|attr('__class__')` raises `SecurityError` and never resolves. The patch adopts that class and adds the corresponding exception handler. The markdown and bleach stages stay, because they still have jobs to do at the HTML layer. They are not, and were never, doing a job at the Python layer.\n\nThe pipeline shape here recurs. Django templates run `mark_safe()` on escaped strings and then render them. A YAML loader runs downstream of an HTML scrubber. An LLM prompt assembled from `bleach.clean()`-sanitized text is fed to a model that evaluates natural-language instructions. Each stage has a threat model; each sanitizer defends against the threats its designer had in mind. Chaining a sanitizer for layer L with an interpreter for layer L' does not make the sanitizer cover the interpreter. The sanitizer is not looking at what the interpreter will read.\n\nPoC: [projectdiscovery/nuclei-templates/http/cves/2025/CVE-2025-23211.yaml](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-23211.yaml)","closing_line":"The instruction field was not data. It was template source. The sanitizer in front of it was for a different language.","hook_md":"Tandoor Recipes renders every recipe step through `jinja2.Template()`. The template engine is not sandboxed, has full access to Python builtins, and has been configured that way since January 5, 2021. Between the user-controlled `instruction` field and the template engine sits exactly one security call: `bleach.clean()`. bleach is an HTML sanitizer. The template engine it is placed in front of does not read HTML.","post_id":38,"slug":"tandoor-recipes-bleach-is-not-a-jinja-sandbox","title":"CVE-2025-23211: bleach Is An HTML Sanitizer. Jinja2 Does Not Read HTML.","type":"initial","unreadable_sentence":"bleach is an HTML sanitizer. The template engine it is placed in front of does not read HTML."}
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQRf0htP5+SjynlxywneZjl4jgkQJgUCafoiwwAKCRDeZjl4jgkQ
JqmPAQDMz3a5MTmIZQI5/tmaLjt3E3Mo3edSrdiKD5YuDn5oOQEAosvy6950IIs7
kwqyAOxOUeF1c51UcZRvfFJPiy8q1wY=
=Tfdk
-----END PGP SIGNATURE-----