Skip to content

Commit

Permalink
fix: Avoid XSS attack from Jinjin2's Environment(). (feast-dev#4355)
Browse files Browse the repository at this point in the history
Signed-off-by: Shuchu Han <[email protected]>
  • Loading branch information
shuchu authored Jul 15, 2024
1 parent b9696ef commit 40270e7
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -365,7 +365,9 @@ def build_point_in_time_query(
full_feature_names: bool = False,
) -> str:
"""Build point-in-time query between each feature view table and the entity dataframe for PostgreSQL"""
template = Environment(loader=BaseLoader()).from_string(source=query_template)
template = Environment(autoescape=True, loader=BaseLoader()).from_string(
source=query_template
)

final_output_feature_names = list(entity_df_columns)
final_output_feature_names.extend(
Expand Down
4 changes: 3 additions & 1 deletion sdk/python/feast/infra/offline_stores/offline_utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,9 @@ def build_point_in_time_query(
full_feature_names: bool = False,
) -> str:
"""Build point-in-time query between each feature view table and the entity dataframe for Bigquery and Redshift"""
template = Environment(loader=BaseLoader()).from_string(source=query_template)
template = Environment(autoescape=True, loader=BaseLoader()).from_string(
source=query_template
)

final_output_feature_names = list(entity_df_columns)
final_output_feature_names.extend(
Expand Down

0 comments on commit 40270e7

Please sign in to comment.