From 630fa07769fc0e99a0fe1e788a9fde844e73e57a Mon Sep 17 00:00:00 2001
From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
Date: Wed, 16 Apr 2025 10:10:18 +0800
Subject: [PATCH] [CVE] FIX CVE-2025-27516

to #20074
add patch to fix CVE-2025-27516
Project: TC2024080204
Signed-off-by: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
---
 bugfix-for-cve-2025-27516.patch | 101 ++++++++++++++++++++++++++++++++
 python-jinja2.spec              |   9 ++-
 2 files changed, 109 insertions(+), 1 deletion(-)
 create mode 100644 bugfix-for-cve-2025-27516.patch

diff --git a/bugfix-for-cve-2025-27516.patch b/bugfix-for-cve-2025-27516.patch
new file mode 100644
index 0000000..36d6136
--- /dev/null
+++ b/bugfix-for-cve-2025-27516.patch
@@ -0,0 +1,101 @@
+From 065334d1ee5b7210e1a0a93c37238c86858f2af7 Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Wed, 5 Mar 2025 10:08:48 -0800
+Subject: [PATCH] attr filter uses env.getattr
+
+---
+ CHANGES.rst            |  2 ++
+ src/jinja2/filters.py  | 37 ++++++++++++++++---------------------
+ tests/test_security.py | 10 ++++++++++
+ 3 files changed, 28 insertions(+), 21 deletions(-)
+
+diff --git a/CHANGES.rst b/CHANGES.rst
+index f1956ec12..605a04fd9 100644
+--- a/CHANGES.rst
++++ b/CHANGES.rst
+@@ -7,6 +7,8 @@ Version 3.1.6
+     as keys to this filter, or must be separately validated first.
+     GHSA-h75v-3vvj-5mfj
+ 
++-   The ``|attr`` filter does not bypass the environment's attribute lookup,
++    allowing the sandbox to apply its checks. :ghsa:`cpwx-vrp4-4pq7`
+ 
+ Version 3.1.3
+ -------------
+diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py
+index e5b5a00c5..2bcba4fbd 100644
+--- a/src/jinja2/filters.py
++++ b/src/jinja2/filters.py
+@@ -6,6 +6,7 @@
+ import typing
+ import typing as t
+ from collections import abc
++from inspect import getattr_static
+ from itertools import chain
+ from itertools import groupby
+ 
+@@ -1411,31 +1412,25 @@ def do_reverse(value: t.Union[str, t.Iterable[V]]) -> t.Union[str, t.Iterable[V]
+ def do_attr(
+     environment: "Environment", obj: t.Any, name: str
+ ) -> t.Union[Undefined, t.Any]:
+-    """Get an attribute of an object.  ``foo|attr("bar")`` works like
+-    ``foo.bar`` just that always an attribute is returned and items are not
+-    looked up.
++    """Get an attribute of an object. ``foo|attr("bar")`` works like
++    ``foo.bar``, but returns undefined instead of falling back to ``foo["bar"]``
++    if the attribute doesn't exist.
+ 
+     See :ref:`Notes on subscriptions <notes-on-subscriptions>` for more details.
+     """
++    # Environment.getattr will fall back to obj[name] if obj.name doesn't exist.
++    # But we want to call env.getattr to get behavior such as sandboxing.
++    # Determine if the attr exists first, so we know the fallback won't trigger.
+     try:
+-        name = str(name)
+-    except UnicodeError:
+-        pass
+-    else:
+-        try:
+-            value = getattr(obj, name)
+-        except AttributeError:
+-            pass
+-        else:
+-            if environment.sandboxed:
+-                environment = t.cast("SandboxedEnvironment", environment)
+-
+-                if not environment.is_safe_attribute(obj, name, value):
+-                    return environment.unsafe_undefined(obj, name)
+-
+-            return value
+-
+-    return environment.undefined(obj=obj, name=name)
++        # This avoids executing properties/descriptors, but misses __getattr__
++        # and __getattribute__ dynamic attrs.
++        getattr_static(obj, name)
++    except AttributeError:
++        # This finds dynamic attrs, and we know it's not a descriptor at this point.
++        if not hasattr(obj, name):
++            return environment.undefined(obj=obj, name=name)
++
++    return environment.getattr(obj, name)
+ 
+ 
+ @typing.overload
+diff --git a/tests/test_security.py b/tests/test_security.py
+index 864d5f7f9..3a1378192 100644
+--- a/tests/test_security.py
++++ b/tests/test_security.py
+@@ -171,3 +171,13 @@ def test_safe_format_all_okay(self):
+             '{{ ("a{x.foo}b{y}"|safe).format_map({"x":{"foo": 42}, "y":"<foo>"}) }}'
+         )
+         assert t.render() == "a42b&lt;foo&gt;"
++
++    def test_attr_filter(self) -> None:
++        env = SandboxedEnvironment()
++        t = env.from_string(
++            """{{ "{0.__call__.__builtins__[__import__]}"
++                  | attr("format")(not_here) }}"""
++        )
++
++        with pytest.raises(SecurityError):
++            t.render()
diff --git a/python-jinja2.spec b/python-jinja2.spec
index 54191bf..67ecc63 100644
--- a/python-jinja2.spec
+++ b/python-jinja2.spec
@@ -1,4 +1,4 @@
-%define anolis_release 3
+%define anolis_release 4
 %global srcname Jinja2
 
 Name:           python-jinja2
@@ -11,6 +11,10 @@ Source0:        https://files.pythonhosted.org/packages/b2/5e/3a21abf3cd467d7876
 
 #https://github.com/pallets/jinja/commit/d655030770081e2dfe46f90e27620472a502289d
 Patch1: fix-cve-2024-34064.patch
+
+# https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403
+Patch2: bugfix-for-cve-2025-27516.patch
+
 %bcond_with docs
 
 BuildArch:      noarch
@@ -89,6 +93,9 @@ rm -rvf docs/_build/html/.buildinfo
 %doc CHANGES.rst
 
 %changelog
+* Wed Apr 16 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 3.1.3-4
+- Fix CVE-2025-27516
+
 * Fri Jul 12 2024 yangxinyu <yangxinyu@nfschina.com> - 3.1.3-3
 - fix-cve-2024-34064
 
-- 
Gitee