Safe mode rendering does not correctly prevent using symbol to proc calls
|Triaged:||Fixed in Releases:|
|Bugzilla link:||1469599||Found in Releases:|
|Pull request:||https://github.com/theforeman/community-templates/pull/411, https://github.com/theforeman/foreman/pull/4659, https://github.com/theforeman/community-templates/pull/407, https://github.com/theforeman/foreman/pull/4669|
Using methods such as `.each`, a user can pass as an argument a symbol to be called, for example `.each(&:delete)`.
This allows execution of commands that should be blocked by the jail.
A fix proposal in the safemode gem has been suggested: https://github.com/svenfuchs/safemode/pull/23
Once it is merged we should update our version of the gem to the latest one.
Fixes #20271 - update safemode gem
(cherry picked from commit feb811114bca02dd746f7b275fbf04715b43376f)
#7 Updated by Alex Fisher about 1 year ago
This possibly should be reopened until https://github.com/theforeman/community-templates/issues/406 is resolved.