robdiciuccio commented on a change in pull request #11704:
URL:
https://github.com/apache/incubator-superset/pull/11704#discussion_r524587227
##########
File path: superset/jinja_context.py
##########
@@ -186,6 +188,28 @@ def url_param(
return result
+def safe_proxy(func: Callable[..., Any], *args: Any, **kwargs: Any) -> Any:
Review comment:
I'm not even sure this proxying is strictly necessary, but the Jinja
sandbox seems to be handling dangerous function arguments just fine:
```
> SELECT "{{url_param(''.__class__.mro()[1].__subclasses__())}}"`
> Query 306: Template syntax error: access to attribute '__class__' of 'str'
object is unsafe.
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
