Remove dangerous tpl funcs in Sprig that's enabled by default.

`env` and `expandenv` template functions in the Sprig library allow accessing system environment variables within campaign templates.
2025-10-27 17:06:29 +08:00 · 2025-06-08 15:06:56 +05:30 · 2025-06-08 15:06:56 +05:30 · d27d2c32cf
commit d27d2c32cf
parent 6fc6c1ecea
2 changed files with 10 additions and 2 deletions
--- a/cmd/init.go
+++ b/cmd/init.go
@ -988,7 +988,11 @@ func initTplFuncs(i *i18n.I18n, u *UrlConfig) template.FuncMap {
 	}

 	// Copy spring functions.
-	maps.Copy(funcs, sprig.GenericFuncMap())
+	sprigFuncs := sprig.GenericFuncMap()
+	delete(sprigFuncs, "env")
+	delete(sprigFuncs, "expandenv")
+
+	maps.Copy(funcs, sprigFuncs)

 	return funcs
 }
--- a/internal/manager/manager.go
+++ b/internal/manager/manager.go
@ -621,7 +621,11 @@ func (m *Manager) makeGnericFuncMap() template.FuncMap {
 	}

 	// Copy spring functions.
-	maps.Copy(funcs, sprig.GenericFuncMap())
+	sprigFuncs := sprig.GenericFuncMap()
+	delete(sprigFuncs, "env")
+	delete(sprigFuncs, "expandenv")
+
+	maps.Copy(funcs, sprigFuncs)

 	return funcs
 }