Chore: use jinja sandbox for templates

sodadata · Nov 13, 2024 · 982c10f · 982c10f
1 parent 0ecbec4
commit 982c10f
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/soda/core/soda/common/jinja.py b/soda/core/soda/common/jinja.py
@@ -3,6 +3,7 @@
 
 from jinja2 import Environment
 from jinja2.runtime import Context
+from jinja2.sandbox import SandboxedEnvironment
 
 
 class OsContext(Context):
@@ -18,7 +19,7 @@ def resolve_or_missing(self, key):
 
 
 def create_os_environment():
-    environment = Environment(variable_start_string="${", variable_end_string="}")
+    environment = SandboxedEnvironment(variable_start_string="${", variable_end_string="}", autoescape=True)
     environment.context_class = OsContext
     return environment
 
@@ -27,14 +28,16 @@ class Jinja:
     environment = create_os_environment()
 
     @staticmethod
-    def resolve(template: str, variables: dict = None) -> str:
+    def resolve(template: str, variables: dict = None, environment: Environment = None) -> str:
         """
         Convenience method that funnels Jinja exceptions into parselog errors.
         This method throws no exceptions.  Returns None in case of Jinja exceptions.
         """
+        if environment is None:
+            environment = create_os_environment()
         if not isinstance(variables, dict):
             variables = {}
-        jinja_template = Jinja.environment.from_string(template)
+        jinja_template = environment.from_string(template)
         rendered_value = jinja_template.render(variables)
         return rendered_value