robdiciuccio commented on pull request #11617:
URL:
https://github.com/apache/incubator-superset/pull/11617#issuecomment-726184361
One concern with `chevron` is that it allows loading of "partials" from the
filesystem. ex:
```
chevron.render('Config: {{> superset_config }}', {}, '.', 'py')
>>> 'Config: import os\nfrom superset.stats_logger import
DummyStatsLogger\nfrom cachelib.file...'
```
While this can be mitigated since we control how `chevron.render` is called,
it does not appear that it can be disabled.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
