From fc12891256a8192a70766449473b19fd2724a8d5 Mon Sep 17 00:00:00 2001
From: Xavier Hardy <xavier.hardy@corp.ovh.com>
Date: Mon, 10 Apr 2017 15:36:23 +0200
Subject: [PATCH] Use Jinja2 sandbox environment

Jinja2 non-sandbox environment is unsafe as it gives
access to unsafe Python methods

Change-Id: If8a96bb92f64c4226a3d02e3cf6e0dcb0e9156fd
Closes-Bug: #1680112
---
 mistral/expressions/jinja_expression.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mistral/expressions/jinja_expression.py b/mistral/expressions/jinja_expression.py
index e17ee1eb..116e2c21 100644
--- a/mistral/expressions/jinja_expression.py
+++ b/mistral/expressions/jinja_expression.py
@@ -16,6 +16,7 @@ import re
 
 import jinja2
 from jinja2 import parser as jinja_parse
+from jinja2.sandbox import SandboxedEnvironment
 from oslo_log import log as logging
 import six
 
@@ -29,7 +30,7 @@ LOG = logging.getLogger(__name__)
 JINJA_REGEXP = '({{(.*)}})'
 JINJA_BLOCK_REGEXP = '({%(.*)%})'
 
-_environment = jinja2.Environment(
+_environment = SandboxedEnvironment(
     undefined=jinja2.StrictUndefined,
     trim_blocks=True,
     lstrip_blocks=True