fix: Avoid XSS attack from Jinjin2's Environment(). (feast-dev#4355)

shuchu · web-flow · commit 40270e754660 · 2024-07-15T07:47:12.000Z
Signed-off-by: Shuchu Han &lt;shuchu.han@gmail.com&gt;
diff --git a/sdk/python/feast/infra/offline_stores/contrib/postgres_offline_store/postgres.py b/sdk/python/feast/infra/offline_stores/contrib/postgres_offline_store/postgres.py
@@ -365,7 +365,9 @@ def build_point_in_time_query(
     full_feature_names: bool = False,
 ) -> str:
     """Build point-in-time query between each feature view table and the entity dataframe for PostgreSQL"""
-    template = Environment(loader=BaseLoader()).from_string(source=query_template)
+    template = Environment(autoescape=True, loader=BaseLoader()).from_string(
+        source=query_template
+    )
 
     final_output_feature_names = list(entity_df_columns)
     final_output_feature_names.extend(
diff --git a/sdk/python/feast/infra/offline_stores/offline_utils.py b/sdk/python/feast/infra/offline_stores/offline_utils.py
@@ -186,7 +186,9 @@ def build_point_in_time_query(
     full_feature_names: bool = False,
 ) -> str:
     """Build point-in-time query between each feature view table and the entity dataframe for Bigquery and Redshift"""
-    template = Environment(loader=BaseLoader()).from_string(source=query_template)
+    template = Environment(autoescape=True, loader=BaseLoader()).from_string(
+        source=query_template
+    )
 
     final_output_feature_names = list(entity_df_columns)
     final_output_feature_names.extend(
