Closes #6921: Employ a sandbox when rendering Jinja2 code for increas…

…ed security

docs/additional-features/custom-links.md

@@ -17,6 +17,9 @@ When viewing a device named Router4, this link would render as:
 
 Custom links appear as buttons at the top right corner of the page. Numeric weighting can be used to influence the ordering of links.
 
+!!! warning
+    Custom links rely on user-created code to generate arbitrary HTML output, which may be dangerous. Only grant permission to create or modify custom links to trusted users.
+
 ## Context Data
 
 The following context data is available within the template when rendering a custom link's text or URL.

docs/additional-features/export-templates.md

@@ -4,10 +4,13 @@ NetBox allows users to define custom templates that can be used when exporting o
 
 Each export template is associated with a certain type of object. For instance, if you create an export template for VLANs, your custom template will appear under the "Export" button on the VLANs list. Each export template must have a name, and may optionally designate a specific export [MIME type](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types) and/or file extension.
 
+Export templates must be written in [Jinja2](https://jinja.palletsprojects.com/).
+
 !!! note
     The name `table` is reserved for internal use.
 
-Export templates must be written in [Jinja2](https://jinja.palletsprojects.com/).
+!!! warning
+    Export templates are rendered using user-submitted code, which may pose security risks under certain conditions. Only grant permission to create or modify export templates to trusted users.
 
 The list of objects returned from the database when rendering an export template is stored in the `queryset` variable, which you'll typically want to iterate through using a `for` loop. Object properties can be access by name. For example:
 

docs/additional-features/webhooks.md

@@ -2,6 +2,9 @@
 
 A webhook is a mechanism for conveying to some external system a change that took place in NetBox. For example, you may want to notify a monitoring system whenever the status of a device is updated in NetBox. This can be done by creating a webhook for the device model in NetBox and identifying the webhook receiver. When NetBox detects a change to a device, an HTTP request containing the details of the change and who made it be sent to the specified receiver. Webhooks are configured in the admin UI under Extras > Webhooks.
 
+!!! warning
+    Webhooks support the inclusion of user-submitted code to generate custom headers and payloads, which may pose security risks under certain conditions. Only grant permission to create or modify webhooks to trusted users.
+
 ## Configuration
 
 * **Name** - A unique name for the webhook. The name is not included with outbound messages.

docs/release-notes/version-2.11.md

@@ -5,6 +5,7 @@
 ### Enhancements
 
 * [#6883](https://github.com/netbox-community/netbox/issues/6883) - Add C21 & C22 power types
+* [#6921](https://github.com/netbox-community/netbox/issues/6921) - Employ a sandbox when rendering Jinja2 code for increased security
 
 ### Bug Fixes
 

netbox/utilities/utils.py

@@ -6,7 +6,7 @@
 from django.core.serializers import serialize
 from django.db.models import Count, OuterRef, Subquery
 from django.db.models.functions import Coalesce
-from jinja2 import Environment
+from jinja2.sandbox import SandboxedEnvironment
 from mptt.models import MPTTModel
 
 from dcim.choices import CableLengthUnitChoices
@@ -213,7 +213,7 @@ def render_jinja2(template_code, context):
     """
     Render a Jinja2 template with the provided context. Return the rendered content.
     """
-    return Environment().from_string(source=template_code).render(**context)
+    return SandboxedEnvironment().from_string(source=template_code).render(**context)
 
 
 def prepare_cloned_fields(instance):