[AUTO-CHERRYPICK] Patch python-jinja2 for CVE-2025-27516 [High] - branch 3.0-dev (#12966)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/python-jinja2/CVE-2025-27516.patch

@@ -0,0 +1,72 @@
+From b289cbd6a87485ecf81bb959f11f177c71a2e041 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Fri, 7 Mar 2025 14:03:44 +0000
+Subject: [PATCH] CVE-2025-27516
+
+Upstream Reference : https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403
+---
+ src/jinja2/filters.py | 37 ++++++++++++++++---------------------
+ 1 file changed, 16 insertions(+), 21 deletions(-)
+
+diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py
+index ed07c4c..706d899 100644
+--- a/src/jinja2/filters.py
++++ b/src/jinja2/filters.py
+@@ -5,6 +5,7 @@ import re
+ import typing
+ import typing as t
+ from collections import abc
++from inspect import getattr_static
+ from itertools import chain
+ from itertools import groupby
+ 
+@@ -1373,31 +1374,25 @@ def do_reverse(value: t.Union[str, t.Iterable[V]]) -> t.Union[str, t.Iterable[V]
+ def do_attr(
+     environment: "Environment", obj: t.Any, name: str
+ ) -> t.Union[Undefined, t.Any]:
+-    """Get an attribute of an object.  ``foo|attr("bar")`` works like
+-    ``foo.bar`` just that always an attribute is returned and items are not
+-    looked up.
++    """Get an attribute of an object. ``foo|attr("bar")`` works like
++    ``foo.bar``, but returns undefined instead of falling back to ``foo["bar"]``
++    if the attribute doesn't exist.
+ 
+     See :ref:`Notes on subscriptions <notes-on-subscriptions>` for more details.
+     """
++    # Environment.getattr will fall back to obj[name] if obj.name doesn't exist.
++    # But we want to call env.getattr to get behavior such as sandboxing.
++    # Determine if the attr exists first, so we know the fallback won't trigger.
+     try:
+-        name = str(name)
+-    except UnicodeError:
+-        pass
+-    else:
+-        try:
+-            value = getattr(obj, name)
+-        except AttributeError:
+-            pass
+-        else:
+-            if environment.sandboxed:
+-                environment = t.cast("SandboxedEnvironment", environment)
+-
+-                if not environment.is_safe_attribute(obj, name, value):
+-                    return environment.unsafe_undefined(obj, name)
+-
+-            return value
+-
+-    return environment.undefined(obj=obj, name=name)
++        # This avoids executing properties/descriptors, but misses __getattr__
++        # and __getattribute__ dynamic attrs.
++        getattr_static(obj, name)
++    except AttributeError:
++        # This finds dynamic attrs, and we know it's not a descriptor at this point.
++        if not hasattr(obj, name):
++            return environment.undefined(obj=obj, name=name)
++
++    return environment.getattr(obj, name)
+ 
+ 
+ @typing.overload
+-- 
+2.45.2
+

SPECS/python-jinja2/python-jinja2-testing-deps.patch

@@ -0,0 +1,69 @@
+From 26b3a167236e300f05780c4b675ec6e2dba04e24 Mon Sep 17 00:00:00 2001
+From: Sam Meluch <sammeluch@microsoft.com>
+Date: Mon, 10 Mar 2025 15:28:30 -0700
+Subject: [PATCH] fix mariner test deps
+
+---
+ requirements/tests.txt | 12 +++++-------
+ tests/test_loader.py   |  6 ++++--
+ 2 files changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/requirements/tests.txt b/requirements/tests.txt
+index 4cd3fe99..31c9bb06 100644
+--- a/requirements/tests.txt
++++ b/requirements/tests.txt
+@@ -7,17 +7,15 @@
+ #
+ attrs==21.4.0
+     # via pytest
+-iniconfig==1.1.1
++exceptiongroup==1.1.1
+     # via pytest
+-packaging==21.3
++iniconfig==1.1.1
+     # via pytest
+-pluggy==1.0.0
++packaging==23.2
+     # via pytest
+-py==1.11.0
++pluggy==1.5.0
+     # via pytest
+-pyparsing==3.0.8
+-    # via packaging
+-pytest==7.1.2
++pytest==7.4.0
+     # via -r requirements/tests.in
+ tomli==2.0.1
+     # via pytest
+
+diff --git a/tests/test_loader.py b/tests/test_loader.py
+index 04c921d24..77d686ef5 100644
+--- a/tests/test_loader.py
++++ b/tests/test_loader.py
+@@ -183,6 +183,7 @@ def test_filename_normpath(self):
+
+ class TestModuleLoader:
+     archive = None
++    mod_env = None
+
+     def compile_down(self, prefix_loader, zip="deflated"):
+         log = []
+@@ -196,13 +197,14 @@ def compile_down(self, prefix_loader, zip="deflated"):
+         self.mod_env = Environment(loader=loaders.ModuleLoader(self.archive))
+         return "".join(log)
+
+-    def teardown(self):
+-        if hasattr(self, "mod_env"):
++    def teardown_method(self):
++        if self.archive is not None:
+             if os.path.isfile(self.archive):
+                 os.remove(self.archive)
+             else:
+                 shutil.rmtree(self.archive)
+             self.archive = None
++            self.mod_env = None
+
+     def test_log(self, prefix_loader):
+         log = self.compile_down(prefix_loader)
+-- 
+2.34.1

SPECS/python-jinja2/python-jinja2.spec

@@ -1,7 +1,7 @@
 Summary:        A fast and easy to use template engine written in pure Python
 Name:           python-jinja2
 Version:        3.1.2
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -12,6 +12,8 @@ Patch0:         CVE-2024-22195.patch
 Patch1:         CVE-2024-34064.patch
 Patch2:         CVE-2024-56201.patch
 Patch3:         CVE-2024-56326.patch
+Patch4:         CVE-2025-27516.patch
+Patch5:         python-jinja2-testing-deps.patch
 BuildArch:      noarch
 
 %description
@@ -25,6 +27,7 @@ BuildRequires:  python3-setuptools
 BuildRequires:  python3-xml
 %if 0%{?with_check}
 BuildRequires:  python3-pip
+BuildRequires:  python3-pytest
 %endif
 Requires:       python3
 Requires:       python3-markupsafe
@@ -47,8 +50,8 @@ sed -i 's/\r$//' LICENSE.rst # Fix wrong EOL encoding
 %py3_install
 
 %check
-pip3 install tox
-tox -e py%{python3_version_nodots}
+pip3 install tox packaging==23.2
+tox -v -e py%{python3_version_nodots} --
 
 %files -n python3-jinja2
 %defattr(-,root,root)
@@ -57,6 +60,9 @@ tox -e py%{python3_version_nodots}
 %{python3_sitelib}/Jinja2-%{version}-py%{python3_version}.egg-info
 
 %changelog
+* Fri Mar 07 2025 Kanishk Bansal <kanbansal@microsoft.com> - 3.1.2-3
+- Address CVE-2025-27516 with an upstream patch and fix the ptest
+
 * Thu Jan 2 2025 Kanishk Bansal <kanbansal@microsoft.com> - 3.1.2-2
 - Address CVE-2024-22195, CVE-2024-34064, CVE-2024-56201, CVE-2024-56326 with an upstream patch.
 

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -540,7 +540,7 @@ python3-debuginfo-3.12.9-1.azl3.aarch64.rpm
 python3-devel-3.12.9-1.azl3.aarch64.rpm
 python3-flit-core-3.9.0-1.azl3.noarch.rpm
 python3-gpg-1.23.2-2.azl3.aarch64.rpm
-python3-jinja2-3.1.2-2.azl3.noarch.rpm
+python3-jinja2-3.1.2-3.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm
 python3-libs-3.12.9-1.azl3.aarch64.rpm
 python3-libxml2-2.11.5-4.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -548,7 +548,7 @@ python3-debuginfo-3.12.9-1.azl3.x86_64.rpm
 python3-devel-3.12.9-1.azl3.x86_64.rpm
 python3-flit-core-3.9.0-1.azl3.noarch.rpm
 python3-gpg-1.23.2-2.azl3.x86_64.rpm
-python3-jinja2-3.1.2-2.azl3.noarch.rpm
+python3-jinja2-3.1.2-3.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm
 python3-libs-3.12.9-1.azl3.x86_64.rpm
 python3-libxml2-2.11.5-4.azl3.x86_64.rpm