Fix potential security issues with jinja2 and pyyaml dep
Added escaping to jinja templates. With PyYAML dependency, accidentally added '<3.4.1' whereas the intent was to make it '==3.4.1', while fixing as per dependabot alert. Fixed it now. Signed-off-by: Rushi Agrawal <rushi.agr@gmail.com>
This commit is contained in:
@@ -12,7 +12,7 @@ numpy; python_version<"3.10"
|
||||
pandas; python_version<"3.10"
|
||||
|
||||
pyyaml>=5.4; python_version>="3.6"
|
||||
pyyaml<5.3.1; python_version<"3.6"
|
||||
pyyaml==5.3.1; python_version<"3.6"
|
||||
|
||||
isort
|
||||
black; python_version>="3.6"
|
||||
|
||||
@@ -42,7 +42,7 @@ import black
|
||||
import unasync
|
||||
import urllib3
|
||||
from click.testing import CliRunner
|
||||
from jinja2 import Environment, FileSystemLoader, TemplateNotFound
|
||||
from jinja2 import Environment, FileSystemLoader, TemplateNotFound, select_autoescape
|
||||
|
||||
http = urllib3.PoolManager()
|
||||
|
||||
@@ -67,6 +67,7 @@ GLOBAL_QUERY_PARAMS = {
|
||||
}
|
||||
|
||||
jinja_env = Environment(
|
||||
autoescape=select_autoescape(["html", "xml"]),
|
||||
loader=FileSystemLoader([CODE_ROOT / "utils" / "templates"]),
|
||||
trim_blocks=True,
|
||||
lstrip_blocks=True,
|
||||
|
||||
Reference in New Issue
Block a user