Home Assistant Command-Line Interface Jinja2 Template Handling Vulnerability Allowing Arbitrary Code Execution

A vulnerability in the Home Assistant Command-line interface (hass-cli) prior to version 1.0.0 allows for unrestricted handling of user-supplied Jinja2 templates. This lack of restriction enabled access to Python's internals, potentially leading to arbitrary code execution on the local machine. The vulnerability arises from rendering templates with no oversight, allowing malicious Jinja2 expressions to be executed. Exploitation requires user intervention, such as downloading and rendering harmful templates with the command-line interface.

Impact

The vulnerability could be exploited to execute arbitrary code on the local machine where hass-cli is run.

Reproduction

To reproduce this vulnerability, download a third-party Jinja2 template that contains malicious code, such as one that manipulates data or establishes a remote shell. Then, use the hass-cli command to render the template locally with the '--local' option. This will execute the embedded harmful code without any restrictions.

Remediation

Users should update to version 1.0.0 or later, which addresses the vulnerability by introducing an 'ImmutableSandboxedEnvironment' for Jinja2 template handling. Additionally, templates can be evaluated manually or with a tool before rendering them with hass-cli.