Disable loading jinja2 PromptTemplate from file.
#10252
Conversation
jinja2 templates are not sandboxed and are at risk for arbitrary code execution. To mitigate this risk: - We no longer support loading jinja2-formatted prompt template files. - `PromptTemplate` with jinja2 may still be constructed manually, but the class carries a security warning reminding the user to not pass untrusted input into it. Resolves #4394.
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 1 Ignored Deployment
|
dosubot
bot
added
the
🤖:bug
obi1kenobi
force-pushed
the
pg/jinja2-injection
branch
from
a4554a9
to
68c57ad
Compare
|
Why isn't the sandbox enabled by default, but instead there is a warning about risks in jinja2? |
|
By the way that jinja2 is designed, it is not possible to create a sandbox from inside a running Python process. It is not something the Of course, it's best to completely avoid jinja2 if possible, because of the difficulty in setting up such a sandbox properly. |
|
is |
|
It's very nice and we're looking into adopting it, but it unfortunately isn't safe enough to justify not recommending an external sandbox. One of the concerns is that the jinja sandbox security model is "assume safe unless marked" instead of "assume unsafe unless marked." It relies on functions being explicitly marked as unsafe, which is very difficult to do safely in a large fast-moving project like this one. All it would take is one slip-up and attackers would have a way in. Here I'm explicitly not saying that jinja made a poor design decision. That design is very reasonable from an adoption and ease of use perspective — the safer alternative would probably be quite onerous to use. All I'm saying is that its security model isn't quite a match for our needs and concerns :) |
jinja2 templates are not sandboxed and are at risk for arbitrary code execution. To mitigate this risk: - We no longer support loading jinja2-formatted prompt template files. - `PromptTemplate` with jinja2 may still be constructed manually, but the class carries a security warning reminding the user to not pass untrusted input into it. Resolves langchain-ai#4394.
jinja2 templates are not sandboxed and are at risk for arbitrary code execution. To mitigate this risk:
PromptTemplatewith jinja2 may still be constructed manually, but the class carries a security warning reminding the user to not pass untrusted input into it.Resolves #4394.
Resolves: CVE-2023-36281