Removed unnecessary functions from report template (#2040)

report/template.go

@@ -29,7 +29,13 @@ func NewTemplateReporter(templatePath string) (*TemplateReporter, error) {
 
 	// TODO: Add helper functions like escaping for JSON, XML, etc.
 	t := template.New("custom")
-	t = t.Funcs(sprig.TxtFuncMap())
+
+	funcMap := sprig.TxtFuncMap()
+	delete(funcMap, "env")
+	delete(funcMap, "expandenv")
+	delete(funcMap, "getHostByName")
+
+	t = t.Funcs(funcMap)
 	t, err = t.Parse(templateText)
 	if err != nil {
 		return nil, fmt.Errorf("error parsing file: %w", err)

report/template_test.go

@@ -96,3 +96,52 @@ func TestWriteTemplate(t *testing.T) {
 		})
 	}
 }
+
+func TestTemplateDangerousFunctions(t *testing.T) {
+	tests := []struct {
+		name     string
+		template string
+		wantErr  string
+	}{
+		{
+			name:     "env is blocked",
+			template: `{{ env "SECRET" }}`,
+			wantErr:  `function "env" not defined`,
+		},
+		{
+			name:     "expandenv is blocked",
+			template: `{{ expandenv "$SECRET" }}`,
+			wantErr:  `function "expandenv" not defined`,
+		},
+		{
+			name:     "getHostByName is blocked",
+			template: `{{ getHostByName "localhost" }}`,
+			wantErr:  `function "getHostByName" not defined`,
+		},
+		{
+			name:     "now is allowed (benign)",
+			template: `{{ now | date "2006-01-02" }}`,
+			wantErr:  "", // should not error on parse
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tmpfile, err := os.CreateTemp(t.TempDir(), "test*.tmpl")
+			require.NoError(t, err)
+			defer os.Remove(tmpfile.Name())
+
+			_, err = tmpfile.WriteString(tt.template)
+			require.NoError(t, err)
+			tmpfile.Close()
+
+			_, err = NewTemplateReporter(tmpfile.Name())
+			if tt.wantErr != "" {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), tt.wantErr)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}