Improving jinja2 security by using SandboxedEnvironment (#1632)

http://jinja.pocoo.org/docs/dev/sandbox/#sandbox
2024-09-12 00:29:39 -04:00 · 2016-11-18 17:14:30 -08:00 · 2016-11-18 17:14:30 -08:00 · 5ae98bc7c9
commit 5ae98bc7c9
parent 1624e7de7d
1 changed files with 3 additions and 2 deletions
--- a/superset/jinja_context.py
+++ b/superset/jinja_context.py
@ -5,7 +5,7 @@ from __future__ import print_function
 from __future__ import unicode_literals

 import inspect
-import jinja2
+from jinja2.sandbox import SandboxedEnvironment

 from datetime import datetime, timedelta
 from dateutil.relativedelta import relativedelta
@ -58,6 +58,7 @@ class BaseTemplateProcessor(object):
        self.context.update(BASE_CONTEXT)
        if self.engine:
            self.context[self.engine] = self
+        self.env = SandboxedEnvironment()

    def process_template(self, sql):
        """Processes a sql template
@ -66,7 +67,7 @@ class BaseTemplateProcessor(object):
        >>> process_template(sql)
        "SELECT '2017-01-01T00:00:00'"
        """
-        template = jinja2.Template(sql)
+        template = self.env.from_string(sql)
        return template.render(self.context)