security: add CT executeTemplate to default function_denylist (#24541)

This PR adds Consul Template's executeTemplate function to the denylist by
default, in order to prevent accidental or malicious infinitely recursive
execution.

---------

Co-authored-by: Tim Gross <tgross@hashicorp.com>

.changelog/24541.txt

@@ -0,0 +1,3 @@
+```release-note:security
+security: add executeTemplate to default template function_denylist
+```

client/config/config.go

@@ -73,7 +73,7 @@ var (
 
 	DefaultTemplateMaxStale = 87600 * time.Hour
 
-	DefaultTemplateFunctionDenylist = []string{"plugin", "writeToFile"}
+	DefaultTemplateFunctionDenylist = []string{"executeTemplate", "plugin", "writeToFile"}
 )
 
 // RPCHandler can be provided to the Client if there is a local server

command/agent/config_test.go

@@ -1535,7 +1535,7 @@ func TestConfig_LoadConsulTemplateConfig(t *testing.T) {
 		agentConfig = defaultConfig.Merge(agentConfig)
 
 		templateConfig := agentConfig.Client.TemplateConfig
-		must.Len(t, 2, templateConfig.FunctionDenylist)
+		must.Len(t, 3, templateConfig.FunctionDenylist)
 	})
 
 	t.Run("client config with basic template", func(t *testing.T) {

website/content/docs/job-specification/template.mdx

@@ -791,8 +791,10 @@ options](/nomad/docs/configuration/client#options):
 
 - `function_denylist` `([]string: ["plugin"])` - Specifies a list of template
   rendering functions that should be disallowed in job specs. By default, the
-  `plugin` function is disallowed as it allows running arbitrary commands on
+  `plugin` function is disallowed as it allows running arbitrary commands on the
-  the host as root (unless Nomad is configured to run as a non-root user).
+  host as root (unless Nomad is configured to run as a non-root user),
+  `executeTemplate` is disallowed to prevent accidental or malicious infinitely
+  recursive execution, and `writeToFile` is disallowed.
 
 - `disable_file_sandbox` `(bool: false)` - Allows templates access to arbitrary
   files on the client host via the `file` function. By default, templates can

website/content/docs/upgrade/upgrade-specific.mdx

@@ -15,11 +15,17 @@ used to document those details separately from the standard upgrade flow.
 
 ## Nomad 1.9.4
 
-In Nomad 1.9.4, the [default client env deny
+#### Security updates to default deny lists
-list](/nomad/docs/configuration/client#env-denylist) includes additional
+
-environment variables to improve security. Users who need some of these secure
+In Nomad 1.9.4, the default `function_denylist` includes `executeTemplate`, as
-environment variables passed to their tasks should consult the list and
+a measure to prevent accidental or malicious infinitely recursive execution.
-overwrite it in the configuration.
+Users that require `executeTemplate` should update their
+[configuration](/nomad/docs/job-specification/template#function_denylist).
+
+Additionally, the [default client env deny
+list](/nomad/docs/configuration/client#env-denylist) includes more environment
+variables. Users who need some of these secure environment variables passed to
+their tasks should consult the list and overwrite it in the configuration.
 
 ## Nomad 1.9.3