backport of commit f7a4ded (#24544)

Co-authored-by: Piotr Kazmierczak <[email protected]>
hashicorp · Nov 22, 2024 · e562d14 · e562d14
1 parent d198560
commit e562d14
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 9 deletions.
diff --git a/.changelog/24541.txt b/.changelog/24541.txt
@@ -0,0 +1,3 @@
+```release-note:security
+security: add executeTemplate to default template function_denylist
+```
diff --git a/client/config/config.go b/client/config/config.go
@@ -73,7 +73,7 @@ var (
 
 	DefaultTemplateMaxStale = 87600 * time.Hour
 
-	DefaultTemplateFunctionDenylist = []string{"plugin", "writeToFile"}
+	DefaultTemplateFunctionDenylist = []string{"executeTemplate", "plugin", "writeToFile"}
 )
 
 // RPCHandler can be provided to the Client if there is a local server

diff --git a/command/agent/config_test.go b/command/agent/config_test.go
@@ -1535,7 +1535,7 @@ func TestConfig_LoadConsulTemplateConfig(t *testing.T) {
 		agentConfig = defaultConfig.Merge(agentConfig)
 
 		templateConfig := agentConfig.Client.TemplateConfig
-		must.Len(t, 2, templateConfig.FunctionDenylist)
+		must.Len(t, 3, templateConfig.FunctionDenylist)
 	})
 
 	t.Run("client config with basic template", func(t *testing.T) {

diff --git a/website/content/docs/job-specification/template.mdx b/website/content/docs/job-specification/template.mdx
@@ -791,8 +791,10 @@ options](/nomad/docs/configuration/client#options):
 
 - `function_denylist` `([]string: ["plugin"])` - Specifies a list of template
   rendering functions that should be disallowed in job specs. By default, the
-  `plugin` function is disallowed as it allows running arbitrary commands on
-  the host as root (unless Nomad is configured to run as a non-root user).
+  `plugin` function is disallowed as it allows running arbitrary commands on the
+  host as root (unless Nomad is configured to run as a non-root user),
+  `executeTemplate` is disallowed to prevent accidental or malicious infinitely
+  recursive execution, and `writeToFile` is disallowed.
 
 - `disable_file_sandbox` `(bool: false)` - Allows templates access to arbitrary
   files on the client host via the `file` function. By default, templates can

diff --git a/website/content/docs/upgrade/upgrade-specific.mdx b/website/content/docs/upgrade/upgrade-specific.mdx
@@ -15,11 +15,17 @@ used to document those details separately from the standard upgrade flow.
 
 ## Nomad 1.9.4
 
-In Nomad 1.9.4, the [default client env deny
-list](/nomad/docs/configuration/client#env-denylist) includes additional
-environment variables to improve security. Users who need some of these secure
-environment variables passed to their tasks should consult the list and
-overwrite it in the configuration.
+#### Security updates to default deny lists
+
+In Nomad 1.9.4, the default `function_denylist` includes `executeTemplate`, as
+a measure to prevent accidental or malicious infinitely recursive execution.
+Users that require `executeTemplate` should update their
+[configuration](/nomad/docs/job-specification/template#function_denylist).
+
+Additionally, the [default client env deny
+list](/nomad/docs/configuration/client#env-denylist) includes more environment
+variables. Users who need some of these secure environment variables passed to
+their tasks should consult the list and overwrite it in the configuration.
 
 ## Nomad 1.9.3