fix: Avoid XSS attack from Jinjin2's Environment(). (#4355)

Signed-off-by: Shuchu Han <shuchu.han@gmail.com>
feast-dev · Jul 15, 2024 · 40270e7 · 40270e7
1 parent b9696ef
commit 40270e7
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/sdk/python/feast/infra/offline_stores/contrib/postgres_offline_store/postgres.py b/sdk/python/feast/infra/offline_stores/contrib/postgres_offline_store/postgres.py
@@ -365,7 +365,9 @@ def build_point_in_time_query(
     full_feature_names: bool = False,
 ) -> str:
     """Build point-in-time query between each feature view table and the entity dataframe for PostgreSQL"""
-    template = Environment(loader=BaseLoader()).from_string(source=query_template)
+    template = Environment(autoescape=True, loader=BaseLoader()).from_string(
+        source=query_template
+    )
 
     final_output_feature_names = list(entity_df_columns)
     final_output_feature_names.extend(

diff --git a/sdk/python/feast/infra/offline_stores/offline_utils.py b/sdk/python/feast/infra/offline_stores/offline_utils.py
@@ -186,7 +186,9 @@ def build_point_in_time_query(
     full_feature_names: bool = False,
 ) -> str:
     """Build point-in-time query between each feature view table and the entity dataframe for Bigquery and Redshift"""
-    template = Environment(loader=BaseLoader()).from_string(source=query_template)
+    template = Environment(autoescape=True, loader=BaseLoader()).from_string(
+        source=query_template
+    )
 
     final_output_feature_names = list(entity_df_columns)
     final_output_feature_names.extend(