Remove dangerous tpl funcs in Sprig that's enabled by default.

knadh · knadh · commit d27d2c32cf3a · 2025-06-08T15:06:56.000+05:30
`env` and `expandenv` template functions in the Sprig library allow
accessing system environment variables within campaign templates.
diff --git a/cmd/init.go b/cmd/init.go
@@ -988,7 +988,11 @@ func initTplFuncs(i *i18n.I18n, u *UrlConfig) template.FuncMap {
 	}
 
 	// Copy spring functions.
-	maps.Copy(funcs, sprig.GenericFuncMap())
+	sprigFuncs := sprig.GenericFuncMap()
+	delete(sprigFuncs, "env")
+	delete(sprigFuncs, "expandenv")
+
+	maps.Copy(funcs, sprigFuncs)
 
 	return funcs
 }
diff --git a/internal/manager/manager.go b/internal/manager/manager.go
@@ -621,7 +621,11 @@ func (m *Manager) makeGnericFuncMap() template.FuncMap {
 	}
 
 	// Copy spring functions.
-	maps.Copy(funcs, sprig.GenericFuncMap())
+	sprigFuncs := sprig.GenericFuncMap()
+	delete(sprigFuncs, "env")
+	delete(sprigFuncs, "expandenv")
+
+	maps.Copy(funcs, sprigFuncs)
 
 	return funcs
 }

Original file line number	Diff line number	Diff line change
`@@ -988,7 +988,11 @@ func initTplFuncs(i i18n.I18n, u UrlConfig) template.FuncMap {`
`988`	`988`	`}`
`989`	`989`
`990`	`990`	`// Copy spring functions.`
`991`		`- maps.Copy(funcs, sprig.GenericFuncMap())`
	`991`	`+ sprigFuncs := sprig.GenericFuncMap()`
	`992`	`+ delete(sprigFuncs, "env")`
	`993`	`+ delete(sprigFuncs, "expandenv")`
	`994`	`+`
	`995`	`+ maps.Copy(funcs, sprigFuncs)`
`992`	`996`
`993`	`997`	`return funcs`
`994`	`998`	`}`
Original file line number	Diff line number	Diff line change
`@@ -621,7 +621,11 @@ func (m *Manager) makeGnericFuncMap() template.FuncMap {`
`621`	`621`	`}`
`622`	`622`
`623`	`623`	`// Copy spring functions.`
`624`		`- maps.Copy(funcs, sprig.GenericFuncMap())`
	`624`	`+ sprigFuncs := sprig.GenericFuncMap()`
	`625`	`+ delete(sprigFuncs, "env")`
	`626`	`+ delete(sprigFuncs, "expandenv")`
	`627`	`+`
	`628`	`+ maps.Copy(funcs, sprigFuncs)`
`625`	`629`
`626`	`630`	`return funcs`
`627`	`631`	`}`