robdiciuccio commented on a change in pull request #11704:
URL:
https://github.com/apache/incubator-superset/pull/11704#discussion_r524932729
##########
File path: superset/config.py
##########
@@ -667,16 +667,25 @@ class CeleryConfig: # pylint:
disable=too-few-public-methods
# A dictionary of items that gets merged into the Jinja context for
# SQL Lab. The existing context gets updated with this dictionary,
# meaning values for existing keys get overwritten by the content of this
-# dictionary.
+# dictionary. Exposing functionality through JINJA_CONTEXT_ADDONS has security
+# implications as it opens a window for a user to execute untrusted code.
+# It's important to make sure that the objects exposed (as well as objects
attached
+# to those objets) are harmless. We recommend only exposing simple/pure
functions that
+# return native types.
Review comment:
I thought about that, but I'm guessing that if someone wants to pass a
module in here, they won't want constant warning messages in the logs. Feels
like the warning in the comment is sufficient.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
