From 79c13e721e89fb2877ff66cc4879885e2934d2b3 Mon Sep 17 00:00:00 2001
From: Wolf Vollprecht <w.vollprecht@gmail.com>
Date: Wed, 7 Aug 2024 08:53:58 -0400
Subject: [PATCH] feat: use sandboxed Jinja env for slightly elevated security
 (#49)

---
 src/rattler_build_conda_compat/jinja/jinja.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/rattler_build_conda_compat/jinja/jinja.py b/src/rattler_build_conda_compat/jinja/jinja.py
index 20d7774..65f8b30 100644
--- a/src/rattler_build_conda_compat/jinja/jinja.py
+++ b/src/rattler_build_conda_compat/jinja/jinja.py
@@ -4,6 +4,7 @@
 
 import jinja2
 import yaml
+from jinja2.sandbox import SandboxedEnvironment
 
 from rattler_build_conda_compat.jinja.filters import _bool, _split, _version_to_build_string
 from rattler_build_conda_compat.jinja.objects import (
@@ -23,13 +24,13 @@ class RecipeWithContext(TypedDict, total=False):
     context: dict[str, str]
 
 
-def jinja_env() -> jinja2.Environment:
+def jinja_env() -> SandboxedEnvironment:
     """
     Create a `rattler-build` specific Jinja2 environment with modified syntax.
     Target platform, build platform, and mpi are set to linux-64 by default.
     """
 
-    env = jinja2.Environment(
+    env = SandboxedEnvironment(
         variable_start_string="${{",
         variable_end_string="}}",
         trim_blocks=True,