BUG: AppInspect: Check for deprecated third-party Mako templates warning

[ljerabek]

Description

Sorry if this is posted in the wrong section, but I wanted to make the team was aware. Since the mako files are added as part of UCC build process.

App-Inspect warns mako template appserver/templates/base.html poses a critical security risk by allowing arbitrary Python code execution.

check_for_existence_of_python_code_block_in_mako_template – prohibits the use of Mako templates.

Security vulnerabilities
Check for deprecated third-party Mako templates that allow arbitrary
Python code execution through Splunk's CherryPy process, creating critical
security vulnerabilities.
WARNING: Detected use of a third-party Mako template, which
poses a critical security risk by allowing arbitrary Python code
execution. Remove custom Mako templates. File:
appserver/templates/base.html

What UCC version are you using?

6.0.1

Additional System Info

WSL / Python 3.12.3

[artemrys]

Thanks @ljerabek for raising this, we are working with AppInspect team on finding a fix for this. I'll post an update here once we have a decision.

[qinshuang1998]

Hi @artemrys , in fact, we have already received a warning letter from the AppInspect team at Splunk Cloud. As an enterprise-grade vendor plugin, replacing UCC in a short timeframe is simply not feasible. Could you please let us know if there are any workarounds available? We look forward to the outcome of your internal discussions. Thank you.

[tsullivan06]

@artemrys - I'm in the same boat as @qinshuang1998, the AppInspect teams sent me notices about all my TAs and apparently want it resolved in 30 days.

[ludvikjerabek]

Thanks @ljerabek for raising this, we are working with AppInspect team on finding a fix for this. I'll post an update here once we have a decision.

No problem, as soon as I received the notification from Splunk Cloud I began testing, and realized the base.html was being injected by UCC.

I just wanted to say thanks for all the hard work you guys have put into UCC and supporting the community. TA publishers needed a better way and you guys delivered something more robust than AOB. 🙌 🙌 🙌

The constant changes from Splunk's review team virtually every quarter is hectic enough, but this tool has been a lifesaver.

[ludvikjerabek]

Hi @artemrys , in fact, we have already received a warning letter from the AppInspect team at Splunk Cloud. As an enterprise-grade vendor plugin, replacing UCC in a short timeframe is simply not feasible. Could you please let us know if there are any workarounds available? We look forward to the outcome of your internal discussions. Thank you.

At least we have 90 days 🤣

In approximately 90 days, Splunk will declare one or more releases of your app as incompatible with the Splunk Cloud Platform due to enhancements to the Splunk Cloud Vetting process.