Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(common): prevent injection during jinja templating #1850

Merged
merged 2 commits into from
Dec 12, 2024
Merged

fix(common): prevent injection during jinja templating #1850

merged 2 commits into from
Dec 12, 2024

Conversation

davinov
Copy link
Member

@davinov davinov commented Dec 11, 2024

Forward port of #1849

@davinov davinov requested a review from a team as a code owner December 11, 2024 17:47
lukapeschke
lukapeschke requested changes Dec 12, 2024
View reviewed changes
Copy link
Contributor

@lukapeschke lukapeschke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Would be great if we could avoid the global var

toucan_connectors/common.py Outdated
Comment on lines 26 to 27
jinja_env = ImmutableSandboxedEnvironment()

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
jinja_env = ImmutableSandboxedEnvironment()

toucan_connectors/common.py Outdated
else:
env = Environment() # noqa: S701
env = jinja_env # noqa: S701
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
env = jinja_env # noqa: S701
env = ImmutableSandboxedEnvironment()

toucan_connectors/common.py Outdated
@@ -237,7 +243,7 @@ def _flatten_dict(p, parent_key=""):
parameters.update(p_keep_type)

logging.getLogger(__name__).debug(f"Render query: {query} with parameters {parameters}")
return Template(query).render(parameters)
return jinja_env.from_string(query).render(parameters)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, I'm in favor of avoiding globals when possible

toucan_connectors/common.py Outdated
@@ -476,7 +482,7 @@ def pandas_read_sql(
if convert_to_printf:
query = convert_to_printf_templating_style(query)
if render_user:
query = Template(query).render({"user": params.get("user", {})})
query = jinja_env.from_string(query).render({"user": params.get("user", {})})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same

@davinov
refactor: avoid using global jinja_env
d36ce8f 
Instanciating an env doesn't cost a lot, so it's best to avoid any
globals
@davinov
Copy link
Member Author

davinov commented Dec 12, 2024

Thanks! Would be great if we could avoid the global var

Indeed, instantiating an env is cheap, so no need for a global:
d36ce8f

@davinov davinov requested a review from lukapeschke December 12, 2024 09:44
lukapeschke
lukapeschke approved these changes Dec 12, 2024
View reviewed changes
Copy link
Contributor

@lukapeschke lukapeschke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@davinov davinov merged commit b0b0073 into master Dec 12, 2024
4 checks passed
@davinov davinov deleted the fix-jinja-injection-master branch December 12, 2024 13:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukapeschke lukapeschke lukapeschke approved these changes

@julien-pinchelimouroux julien-pinchelimouroux Awaiting requested review from julien-pinchelimouroux julien-pinchelimouroux is a code owner automatically assigned from ToucanToco/build_back

Assignees
No one assigned
Labels
Need Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@davinov @lukapeschke