security: add CT executeTemplate to default function_denylist (#24541)

This PR adds Consul Template's executeTemplate function to the denylist by default, in order to prevent accidental or malicious infinitely recursive execution. --------- Co-authored-by: Tim Gross <tgross@hashicorp.com>
2026-01-01 16:05:42 +03:00 · 2024-11-22 19:33:56 +01:00
parent 368241dbf2
commit f7a4ded2c0
5 changed files with 20 additions and 9 deletions
--- a/.changelog/24541.txt
+++ b/.changelog/24541.txt
@@ -0,0 +1,3 @@
+```release-note:security
+security: add executeTemplate to default template function_denylist
+```
--- a/client/config/config.go
+++ b/client/config/config.go
@@ -73,7 +73,7 @@ var (

 	DefaultTemplateMaxStale = 87600 * time.Hour

-	DefaultTemplateFunctionDenylist = []string{"plugin", "writeToFile"}
+	DefaultTemplateFunctionDenylist = []string{"executeTemplate", "plugin", "writeToFile"}
 )

 // RPCHandler can be provided to the Client if there is a local server
--- a/command/agent/config_test.go
+++ b/command/agent/config_test.go
@@ -1535,7 +1535,7 @@ func TestConfig_LoadConsulTemplateConfig(t *testing.T) {
 		agentConfig = defaultConfig.Merge(agentConfig)

 		templateConfig := agentConfig.Client.TemplateConfig
-		must.Len(t, 2, templateConfig.FunctionDenylist)
+		must.Len(t, 3, templateConfig.FunctionDenylist)
 	})

 	t.Run("client config with basic template", func(t *testing.T) {
--- a/website/content/docs/job-specification/template.mdx
+++ b/website/content/docs/job-specification/template.mdx
@@ -791,8 +791,10 @@ options](/nomad/docs/configuration/client#options):

 - `function_denylist` `([]string: ["plugin"])` - Specifies a list of template
  rendering functions that should be disallowed in job specs. By default, the
-  `plugin` function is disallowed as it allows running arbitrary commands on
-  the host as root (unless Nomad is configured to run as a non-root user).
+  `plugin` function is disallowed as it allows running arbitrary commands on the
+  host as root (unless Nomad is configured to run as a non-root user),
+  `executeTemplate` is disallowed to prevent accidental or malicious infinitely
+  recursive execution, and `writeToFile` is disallowed.

 - `disable_file_sandbox` `(bool: false)` - Allows templates access to arbitrary
  files on the client host via the `file` function. By default, templates can
--- a/website/content/docs/upgrade/upgrade-specific.mdx
+++ b/website/content/docs/upgrade/upgrade-specific.mdx
@@ -15,11 +15,17 @@ used to document those details separately from the standard upgrade flow.

 ## Nomad 1.9.4

-In Nomad 1.9.4, the [default client env deny
-list](/nomad/docs/configuration/client#env-denylist) includes additional
-environment variables to improve security. Users who need some of these secure
-environment variables passed to their tasks should consult the list and
-overwrite it in the configuration.
+#### Security updates to default deny lists
+
+In Nomad 1.9.4, the default `function_denylist` includes `executeTemplate`, as
+a measure to prevent accidental or malicious infinitely recursive execution.
+Users that require `executeTemplate` should update their
+[configuration](/nomad/docs/job-specification/template#function_denylist).
+
+Additionally, the [default client env deny
+list](/nomad/docs/configuration/client#env-denylist) includes more environment
+variables. Users who need some of these secure environment variables passed to
+their tasks should consult the list and overwrite it in the configuration.

 ## Nomad 1.9.3