From f4891be3c301ffc4046f807d7cc97c9c7e4ecfb6 Mon Sep 17 00:00:00 2001 From: Rushi Agrawal Date: Thu, 9 Sep 2021 18:41:44 +0530 Subject: [PATCH] Fix potential security issues with jinja2 and pyyaml dep Added escaping to jinja templates. With PyYAML dependency, accidentally added '<3.4.1' whereas the intent was to make it '==3.4.1', while fixing as per dependabot alert. Fixed it now. Signed-off-by: Rushi Agrawal --- dev-requirements.txt | 2 +- utils/generate-api.py | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/dev-requirements.txt b/dev-requirements.txt index 532c319f..626a8fdc 100644 --- a/dev-requirements.txt +++ b/dev-requirements.txt @@ -12,7 +12,7 @@ numpy; python_version<"3.10" pandas; python_version<"3.10" pyyaml>=5.4; python_version>="3.6" -pyyaml<5.3.1; python_version<"3.6" +pyyaml==5.3.1; python_version<"3.6" isort black; python_version>="3.6" diff --git a/utils/generate-api.py b/utils/generate-api.py index 32f3d090..7504057a 100644 --- a/utils/generate-api.py +++ b/utils/generate-api.py @@ -42,7 +42,7 @@ import black import unasync import urllib3 from click.testing import CliRunner -from jinja2 import Environment, FileSystemLoader, TemplateNotFound +from jinja2 import Environment, FileSystemLoader, TemplateNotFound, select_autoescape http = urllib3.PoolManager() @@ -67,6 +67,7 @@ GLOBAL_QUERY_PARAMS = { } jinja_env = Environment( + autoescape=select_autoescape(["html", "xml"]), loader=FileSystemLoader([CODE_ROOT / "utils" / "templates"]), trim_blocks=True, lstrip_blocks=True,