mirror of
https://github.com/apache/superset.git
synced 2024-09-17 11:09:47 -04:00
Improving jinja2 security by using SandboxedEnvironment (#1632)
http://jinja.pocoo.org/docs/dev/sandbox/#sandbox
This commit is contained in:
parent
1624e7de7d
commit
5ae98bc7c9
@ -5,7 +5,7 @@ from __future__ import print_function
|
||||
from __future__ import unicode_literals
|
||||
|
||||
import inspect
|
||||
import jinja2
|
||||
from jinja2.sandbox import SandboxedEnvironment
|
||||
|
||||
from datetime import datetime, timedelta
|
||||
from dateutil.relativedelta import relativedelta
|
||||
@ -58,6 +58,7 @@ class BaseTemplateProcessor(object):
|
||||
self.context.update(BASE_CONTEXT)
|
||||
if self.engine:
|
||||
self.context[self.engine] = self
|
||||
self.env = SandboxedEnvironment()
|
||||
|
||||
def process_template(self, sql):
|
||||
"""Processes a sql template
|
||||
@ -66,7 +67,7 @@ class BaseTemplateProcessor(object):
|
||||
>>> process_template(sql)
|
||||
"SELECT '2017-01-01T00:00:00'"
|
||||
"""
|
||||
template = jinja2.Template(sql)
|
||||
template = self.env.from_string(sql)
|
||||
return template.render(self.context)
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user