From 9717719502961abec9e94cf166f018bfee5a445b Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Thu, 7 Aug 2025 15:47:14 -0400 Subject: [PATCH] docs: fix missing entry from template function_denylist (#26458) The docs for the `template` block accurately describe the template configuration default function denylist in the body but the default parameters are missing values. The equivalent docs in the `client` configuration are missing `executeTemplate` as well. --- website/content/docs/configuration/client.mdx | 9 +++++---- website/content/docs/job-specification/template.mdx | 13 +++++++------ 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/website/content/docs/configuration/client.mdx b/website/content/docs/configuration/client.mdx index 6d2d4038f..7ddbf4fd4 100644 --- a/website/content/docs/configuration/client.mdx +++ b/website/content/docs/configuration/client.mdx @@ -506,10 +506,11 @@ refer to the [drivers documentation](/nomad/docs/job-declare/task-driver). ### `template` Parameters -- `function_denylist` `([]string: ["plugin", "writeToFile"])` - Specifies a - list of template rendering functions that should be disallowed in job specs. - By default the `plugin` and `writeToFile` functions are disallowed as they - allow unrestricted root access to the host. +- `function_denylist` `([]string: ["plugin", "executeTemplate", + "writeToFile"])` - Specifies a list of template rendering functions that + should be disallowed in job specs. By default the `plugin`, `executeTemplate` + and `writeToFile` functions are disallowed as they allow unrestricted root + access to the host or allow recursive execution. - `disable_file_sandbox` `(bool: false)` - Allows templates access to arbitrary files on the client host via the `file` function. By default, templates can diff --git a/website/content/docs/job-specification/template.mdx b/website/content/docs/job-specification/template.mdx index 43609c96c..174d5ef75 100644 --- a/website/content/docs/job-specification/template.mdx +++ b/website/content/docs/job-specification/template.mdx @@ -795,12 +795,13 @@ access it by index. This secret was set using The `template` block has the following [client configuration options](/nomad/docs/configuration/client#options): -- `function_denylist` `([]string: ["plugin"])` - Specifies a list of template - rendering functions that should be disallowed in job specs. By default, the - `plugin` function is disallowed as it allows running arbitrary commands on the - host as root (unless Nomad is configured to run as a non-root user), - `executeTemplate` is disallowed to prevent accidental or malicious infinitely - recursive execution, and `writeToFile` is disallowed. +- `function_denylist` `([]string: ["plugin", "executeTemplate", + "writeToFile"])` - Specifies a list of template rendering functions that + should be disallowed in job specs. By default, the `plugin` function is + disallowed as it allows running arbitrary commands on the host as root (unless + Nomad is configured to run as a non-root user), `executeTemplate` is + disallowed to prevent accidental or malicious infinitely recursive execution, + and `writeToFile` is disallowed. - `disable_file_sandbox` `(bool: false)` - Allows templates access to arbitrary files on the client host via the `file` function. By default, templates can