Merge commit from fork

* fix(security): use SandboxedEnvironment for PART_NAME_FORMAT rendering

- Switch jinja2.Environment to jinja2.sandbox.SandboxedEnvironment in
  part/helpers.py to prevent SSTI via template tags in PART_NAME_FORMAT.
- Set pk=1 on the dummy Part instance in the validator to ensure
  conditional expressions like {% if part.pk %} are properly evaluated
  during validation, closing the sandbox bypass vector.

Fixes GHSA-84jh-x777-8pqq

* Style fixes

---------

Co-authored-by: Paul <morimori-dev@github.com>
Co-authored-by: Oliver Walters <oliver.henry.walters@gmail.com>

src/backend/InvenTree/common/setting/system.py

@@ -49,7 +49,8 @@ def validate_part_name_format(value):
                 })
 
     # Attempt to render the template with a dummy Part instance
-    p = Part(name='test part', description='some test part')
+    # Use pk=1 to ensure conditional checks like {% if part.pk %} are evaluated
+    p = Part(pk=1, name='test part', description='some test part')
 
     try:
         SandboxedEnvironment().from_string(value).render({'part': p})

src/backend/InvenTree/part/helpers.py

@@ -5,7 +5,7 @@ import os
 from django.conf import settings
 
 import structlog
-from jinja2 import Environment, select_autoescape
+from jinja2.sandbox import SandboxedEnvironment
 
 from common.settings import get_global_setting
 
@@ -37,11 +37,7 @@ def compile_full_name_template(*args, **kwargs):
     # Cache the template string
     _part_full_name_template_string = template_string
 
-    env = Environment(
+    env = SandboxedEnvironment(variable_start_string='{{', variable_end_string='}}')
-        autoescape=select_autoescape(default_for_string=False, default=False),
-        variable_start_string='{{',
-        variable_end_string='}}',
-    )
 
     # Compile the template
     try: