Remove dangerous tpl funcs in Sprig that's enabled by default.

`env` and `expandenv` template functions in the Sprig library allow
accessing system environment variables within campaign templates.
This commit is contained in:
Kailash Nadh 2025-06-08 15:06:56 +05:30
parent 6fc6c1ecea
commit d27d2c32cf
2 changed files with 10 additions and 2 deletions

View file

@ -988,7 +988,11 @@ func initTplFuncs(i *i18n.I18n, u *UrlConfig) template.FuncMap {
}
// Copy spring functions.
maps.Copy(funcs, sprig.GenericFuncMap())
sprigFuncs := sprig.GenericFuncMap()
delete(sprigFuncs, "env")
delete(sprigFuncs, "expandenv")
maps.Copy(funcs, sprigFuncs)
return funcs
}

View file

@ -621,7 +621,11 @@ func (m *Manager) makeGnericFuncMap() template.FuncMap {
}
// Copy spring functions.
maps.Copy(funcs, sprig.GenericFuncMap())
sprigFuncs := sprig.GenericFuncMap()
delete(sprigFuncs, "env")
delete(sprigFuncs, "expandenv")
maps.Copy(funcs, sprigFuncs)
return funcs
}