Skip to content

Sandbox templates #15912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ashb merged 3 commits into from
May 18, 2021
Merged

Sandbox templates #15912

ashb merged 3 commits into from
May 18, 2021

Conversation

@ashb
Copy link
Member

@ashb ashb commented May 18, 2021
edited
Loading

Templates shouldn't ever be taken from untrusted user input (and it's hard to do so without just edit the dag file, at which point you can run whatever python code you like anyway), but this is a reasonable safety measure just in case someone does something "clever".

This change does mean that templates can no longer access any attributes that start with a _, i.e. {{ obj._foo }} would now fail

The second commit in this PR changes it so that obj._foo continues to work, to reduce chance of breaking existing dags.

ashb added 2 commits May 18, 2021 09:21
@ashb
Use sandboxed jinja environment in templates
d282180 
Templates _shouldn't_ ever be taken from untrusted user input, but this
is a reasonable safety measure just in case someone does something
"clever".

This change does mean that templates can no longer access any attributes
that start with a `_`, i.e. `{{ obj._foo }}` would now fail
@ashb
fixup! Use sandboxed jinja environment in templates
e96f04d
@ashb ashb requested review from kaxil and potiuk May 18, 2021 08:59
@ashb ashb requested review from XD-DENG and turbaszek as code owners May 18, 2021 08:59
ashb
ashb commented May 18, 2021
View reviewed changes
airflow/models/taskinstance.py
)
jinja_env = jinja2.Environment(
loader=jinja2.FileSystemLoader(os.path.dirname(__file__)), autoescape=True
)
Copy link
Member Author

@ashb ashb May 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change was made because I was looking for all cases of jinaj2.Environment, and since 3 lines down we render fixed templates, we know it would never product a Native object, so we don't need it.

This change isn't required here, and I can split it out to a separate PR.

potiuk
potiuk approved these changes May 18, 2021
View reviewed changes
Copy link
Member

@potiuk potiuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice

@potiuk
Copy link
Member

potiuk commented May 18, 2021

No need to split.

@ashb ashb merged commit 4295845 into apache:master May 18, 2021
@ashb ashb deleted the sandbox-templates branch May 18, 2021 10:50
ashb added a commit that referenced this pull request May 18, 2021
@ashb
Sandbox templates (#15912)
304e174 
Templates _shouldn't_ ever be taken from untrusted user input (and it's hard to
do so without just edit the dag file, at which point you can run whatever
python code you like _anyway_), but this is a reasonable safety measure just in
case someone does something "clever".

(cherry picked from commit 4295845)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@potiuk potiuk potiuk approved these changes

@kaxil kaxil Awaiting requested review from kaxil

@turbaszek turbaszek Awaiting requested review from turbaszek

@XD-DENG XD-DENG Awaiting requested review from XD-DENG

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ashb @potiuk