mirror of
https://github.com/apache/superset.git
synced 2024-09-17 11:09:47 -04:00
Improving jinja2 security by using SandboxedEnvironment (#1632)
http://jinja.pocoo.org/docs/dev/sandbox/#sandbox
This commit is contained in:
parent
1624e7de7d
commit
5ae98bc7c9
@ -5,7 +5,7 @@ from __future__ import print_function
|
|||||||
from __future__ import unicode_literals
|
from __future__ import unicode_literals
|
||||||
|
|
||||||
import inspect
|
import inspect
|
||||||
import jinja2
|
from jinja2.sandbox import SandboxedEnvironment
|
||||||
|
|
||||||
from datetime import datetime, timedelta
|
from datetime import datetime, timedelta
|
||||||
from dateutil.relativedelta import relativedelta
|
from dateutil.relativedelta import relativedelta
|
||||||
@ -58,6 +58,7 @@ class BaseTemplateProcessor(object):
|
|||||||
self.context.update(BASE_CONTEXT)
|
self.context.update(BASE_CONTEXT)
|
||||||
if self.engine:
|
if self.engine:
|
||||||
self.context[self.engine] = self
|
self.context[self.engine] = self
|
||||||
|
self.env = SandboxedEnvironment()
|
||||||
|
|
||||||
def process_template(self, sql):
|
def process_template(self, sql):
|
||||||
"""Processes a sql template
|
"""Processes a sql template
|
||||||
@ -66,7 +67,7 @@ class BaseTemplateProcessor(object):
|
|||||||
>>> process_template(sql)
|
>>> process_template(sql)
|
||||||
"SELECT '2017-01-01T00:00:00'"
|
"SELECT '2017-01-01T00:00:00'"
|
||||||
"""
|
"""
|
||||||
template = jinja2.Template(sql)
|
template = self.env.from_string(sql)
|
||||||
return template.render(self.context)
|
return template.render(self.context)
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user