The vulnerability (GHSA-q2x7-8rv6-6q7h / CVE-2024-56326) in Jinja2 allowed a sandbox escape through indirect calls to str.format. The core issue was that an attacker could obtain a direct reference to a string's format (or format_map) method and then have it executed by a custom filter, bypassing the sandbox's checks.

The provided commit 48b0687e05a5466a91cd5812d604fa37ad0943b4 addresses this by modifying how str.format methods are handled. Specifically, the SandboxedEnvironment.getitem and SandboxedEnvironment.getattr methods were updated to use a new helper function, wrap_str_format. This new function wraps the str.format or str.format_map method at the time of access (i.e., when getitem or getattr is called to retrieve it).

Before this patch, getitem and getattr would return the raw, unwrapped format method. This raw method, if called indirectly (e.g., passed as an argument to a custom filter that then invokes it), would not be subject to the sandbox's specific str.format handling (which was previously attempted within the SandboxedEnvironment.call method via inspect_format_method and format_string, now removed).

Therefore, SandboxedEnvironment.getitem and SandboxedEnvironment.getattr are identified as the vulnerable functions because they were the points at which an attacker could obtain the exploitable unwrapped method reference. The patch directly modifies these functions to ensure that any str.format method retrieved through them is already sandboxed, regardless of how it's subsequently called.