ktmud commented on a change in pull request #11704:
URL:
https://github.com/apache/incubator-superset/pull/11704#discussion_r524754202
##########
File path: superset/config.py
##########
@@ -667,16 +667,25 @@ class CeleryConfig: # pylint:
disable=too-few-public-methods
# A dictionary of items that gets merged into the Jinja context for
# SQL Lab. The existing context gets updated with this dictionary,
# meaning values for existing keys get overwritten by the content of this
-# dictionary.
+# dictionary. Exposing functionality through JINJA_CONTEXT_ADDONS has security
+# implications as it opens a window for a user to execute untrusted code.
+# It's important to make sure that the objects exposed (as well as objects
attached
+# to those objets) are harmless. We recommend only exposing simple/pure
functions that
+# return native types.
Review comment:
Maybe we can enforce this rule by checking the data type of the addons?
```python
for key, value in app.config["JINJA_CONTEXT_ADDONS"].items():
if not isinstance(value, (types.FunctionType, int, str, tuple, list)):
logging.warning(f"Jinja addon {key} is not a pure function or native
type and"
" could pose greater security risk to your
application.")
self._base_context[key] = value
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
