robdiciuccio commented on pull request #11617: URL: https://github.com/apache/incubator-superset/pull/11617#issuecomment-726192319
@ktmud The intention is the prevent security issues like [CVE-2020-13948](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13948). We should absolutely move away from exposing class objects to the Jinja context, but this doesn't prevent access to Python internals. We're relying heavily on Jijna's [Sandboxing](https://jinja.palletsprojects.com/en/2.11.x/sandbox/) to prevent RCE, which feels very brittle. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
