robdiciuccio opened a new pull request #11704: URL: https://github.com/apache/incubator-superset/pull/11704
### SUMMARY Adds a new `SAFE_JINJA_PROCESSING` config flag to prevent passing potentially unsafe modules/methods to the Jinja context. When the flag is enabled, it: - Removes exposed modules such as `datetime` and `timedelta` - Proxies exposed methods such as `current_user_id` and `url_param` through a method that enforces static return values There are no changes to Jijna templating syntax with `SAFE_JINJA_PROCESSING` enabled. Adding custom Jinja context items is still possible via `JINJA_CONTEXT_ADDONS` as is overriding the template processor on a per-database engine basis via `CUSTOM_TEMPLATE_PROCESSORS`. Opening this PR for discussion. If the approach is agreed upon, I will write tests. ### TODO - [ ] Write tests ### TEST PLAN - Test Jinja templating in SQL Lab and in virtual datasets ### ADDITIONAL INFORMATION <!--- Check any relevant boxes with "x" --> <!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue --> - [ ] Has associated issue: - [ ] Changes UI - [ ] Requires DB Migration. - [ ] Confirm DB Migration upgrade and downgrade tested. - [x] Introduces new feature or API - [ ] Removes existing feature or API @mistercrunch @ktmud @dpgaspar @villebro ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
