From 5ae98bc7c9b432683d03d30a30631a6efd7a78a3 Mon Sep 17 00:00:00 2001
From: Maxime Beauchemin <maximebeauchemin@gmail.com>
Date: Fri, 18 Nov 2016 17:14:30 -0800
Subject: [PATCH] Improving jinja2 security by using SandboxedEnvironment
 (#1632)

http://jinja.pocoo.org/docs/dev/sandbox/#sandbox
---
 superset/jinja_context.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/superset/jinja_context.py b/superset/jinja_context.py
index 94f56328b2..1324a52be4 100644
--- a/superset/jinja_context.py
+++ b/superset/jinja_context.py
@@ -5,7 +5,7 @@ from __future__ import print_function
 from __future__ import unicode_literals
 
 import inspect
-import jinja2
+from jinja2.sandbox import SandboxedEnvironment
 
 from datetime import datetime, timedelta
 from dateutil.relativedelta import relativedelta
@@ -58,6 +58,7 @@ class BaseTemplateProcessor(object):
         self.context.update(BASE_CONTEXT)
         if self.engine:
             self.context[self.engine] = self
+        self.env = SandboxedEnvironment()
 
     def process_template(self, sql):
         """Processes a sql template
@@ -66,7 +67,7 @@ class BaseTemplateProcessor(object):
         >>> process_template(sql)
         "SELECT '2017-01-01T00:00:00'"
         """
-        template = jinja2.Template(sql)
+        template = self.env.from_string(sql)
         return template.render(self.context)