Improving jinja2 security by using SandboxedEnvironment

http://jinja.pocoo.org/docs/dev/sandbox/#sandbox
apache · Nov 18, 2016 · d028864 · d028864
1 parent d5ef937
commit d028864
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/superset/jinja_context.py b/superset/jinja_context.py
@@ -5,7 +5,7 @@
 from __future__ import unicode_literals
 
 import inspect
-import jinja2
+from jinja2.sandbox import SandboxedEnvironment
 
 from datetime import datetime, timedelta
 from dateutil.relativedelta import relativedelta
@@ -58,6 +58,7 @@ def __init__(self, database=None, query=None, table=None):
         self.context.update(BASE_CONTEXT)
         if self.engine:
             self.context[self.engine] = self
+        self.env = SandboxedEnvironment()
 
     def process_template(self, sql):
         """Processes a sql template
@@ -66,7 +67,7 @@ def process_template(self, sql):
         >>> process_template(sql)
         "SELECT '2017-01-01T00:00:00'"
         """
-        template = jinja2.Template(sql)
+        template = self.env.from_string(sql)
         return template.render(self.context)