id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
33986	Code formatters should be looked up before template rendering in startapp/startproject	Shai Berger	Shai Berger	"The Security Team received a report about ""binary planting"" in custom templates for the {{{startproject}}} and {{{startapp}}} commands:

- These commands use the {{{black}}} code formatter if it is installed, so they look for it as an executable on the system path;
- Under some circumstances, the template used for the new project or app will be rendered onto the path (e.g. on Windows the current directory is on the system path by default, and although this is not the default, the template may be rendered into the current directory);
- In the current code, {{{black}}} is only looked up when it is time to run it, that is, after the template has been rendered
- So if all the stars above align ""correctly"", the management command may execute a {{{black}}} command that is included in the template
- Custom templates can be specified using a remote URL -- in that case, downloaded code would be executed immediately

The Security Team decided that this should not be treated as a vulnerability, since custom templates already get very wide access via the Django Template Language. It still seemed worthwhile to change things so that the lookup should happen before the custom template can affect the choice of executable, and to amplify the warnings in the documentation that custom templates are treated as trusted code.

Thanks Trung Pham of Viettel Cyber Security for the report"	Cleanup/optimization	closed	Core (Management commands)	dev	Normal	fixed	hardening		Ready for checkin	1	0	0	0	0	0