From d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e Mon Sep 17 00:00:00 2001
From: Kailash Nadh <kailash@nadh.in>
Date: Sun, 8 Jun 2025 15:06:56 +0530
Subject: [PATCH] Remove dangerous tpl funcs in Sprig that's enabled by
 default.

`env` and `expandenv` template functions in the Sprig library allow
accessing system environment variables within campaign templates.
---
 cmd/init.go                 | 6 +++++-
 internal/manager/manager.go | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/cmd/init.go b/cmd/init.go
index be2edbff..65a76228 100644
--- a/cmd/init.go
+++ b/cmd/init.go
@@ -988,7 +988,11 @@ func initTplFuncs(i *i18n.I18n, u *UrlConfig) template.FuncMap {
 	}
 
 	// Copy spring functions.
-	maps.Copy(funcs, sprig.GenericFuncMap())
+	sprigFuncs := sprig.GenericFuncMap()
+	delete(sprigFuncs, "env")
+	delete(sprigFuncs, "expandenv")
+
+	maps.Copy(funcs, sprigFuncs)
 
 	return funcs
 }
diff --git a/internal/manager/manager.go b/internal/manager/manager.go
index 588c7f59..314454b6 100644
--- a/internal/manager/manager.go
+++ b/internal/manager/manager.go
@@ -621,7 +621,11 @@ func (m *Manager) makeGnericFuncMap() template.FuncMap {
 	}
 
 	// Copy spring functions.
-	maps.Copy(funcs, sprig.GenericFuncMap())
+	sprigFuncs := sprig.GenericFuncMap()
+	delete(sprigFuncs, "env")
+	delete(sprigFuncs, "expandenv")
+
+	maps.Copy(funcs, sprigFuncs)
 
 	return funcs
 }