[Enhancement] [zos_copy] [zos_job_submit] [zos_script] Add option to disable autoescape for Jinja templates #1810
Conversation
|
Results for the pipeline
|
rexemin
requested review from
ketankelkar,
fernandofloresg,
ddimatos,
richp405 and
AndreMarcel99
There was a problem hiding this comment.
General questions:
- How does this impact users who have been piping values to safe?
- We probably want to update the changelog fragment so it also includes a behavior change so the one releasing can properly highlight this. This could be a known issues type fragment.
//{{template_values | safe }}
| if autoescape: | ||
| self.templating_env = jinja2.Environment(autoescape=True, **environment_args) | ||
| else: | ||
| self.templating_env = jinja2.Environment(autoescape=jinja2.select_autoescape(), **environment_args) |
There was a problem hiding this comment.
Question, the branched logic here, else, is relying on jinja2.select_autoescape() which will return false as it is today, would it be safer to be explicit since this could change in the future where maybe it would be true thus if/else would return true should the behavior change.
Also note the documentation:
There was a problem hiding this comment.
Explicit in what way? I could change the function so it specifies the kinds of files that will commonly be templated, but just putting false in autoescape generates an error in Bandit.
There was a problem hiding this comment.
@rexemin Is that the case if you use the following?
| self.templating_env = jinja2.Environment(autoescape=jinja2.select_autoescape(), **environment_args) | |
| self.templating_env = jinja2.Environment(autoescape=autoescape, **environment_args) |
Just set autoescape parameter value to whatever autoescape variable has?
There was a problem hiding this comment.
Yes, that is the case, it was the original code that caused the bandit error in the first place
There was a problem hiding this comment.
yup, is gonna trigger that scan issue no matter what. This is ok for me as long as we have a test which tests autoescape False and True. That means, if this gets changed in the future, then will be caught in the test cases.
|
This change should not affect users already using the |
| if autoescape: | ||
| self.templating_env = jinja2.Environment(autoescape=True, **environment_args) | ||
| else: | ||
| self.templating_env = jinja2.Environment(autoescape=jinja2.select_autoescape(), **environment_args) |
There was a problem hiding this comment.
@rexemin Is that the case if you use the following?
| self.templating_env = jinja2.Environment(autoescape=jinja2.select_autoescape(), **environment_args) | |
| self.templating_env = jinja2.Environment(autoescape=autoescape, **environment_args) |
Just set autoescape parameter value to whatever autoescape variable has?
| @@ -158,6 +158,18 @@ | |||
| /* | |||
| //SYSUT2 DD SYSOUT=* | |||
| // | |||
| """, | |||
| "Autoescape": """//{{ pgm_name }} JOB (T043JM,JM00,1,0,0,0),{{ parameter }},CLASS=R, | |||
| // MSGCLASS=X,MSGLEVEL=1,NOTIFY=S0JM | |||
There was a problem hiding this comment.
In the issue related users complained both about & and ' could you add those as part of the tests?
There was a problem hiding this comment.
oh I see single quotes is added down there so just &
…e_shell_call_cp_to_python_module [Enabler][1652]migrate_shell_call_cp_to_python_module
Swapped old zoau v1.1.0 to use as zoau 1.3.4 ga build
… resource types (#1822) * Added fix for zos_find * Added tests for fix * Updated changelog
* Add enhance error message * Add fragment * Update plugins/modules/zos_copy.py Co-authored-by: Fernando Flores <[email protected]> * Update 1821-Add_error_message.yml * Update zos_copy.py --------- Co-authored-by: Fernando Flores <[email protected]>
…_init_portability [Enabler][1589]volume_init_test_portability
…C tool (#1829) * Update minimum version of z/OS for the GA of 1.12 Signed-off-by: ddimatos <[email protected]> * Update AAP link Signed-off-by: ddimatos <[email protected]> * Venv for 2.18 Signed-off-by: ddimatos <[email protected]> * remove merge flags Signed-off-by: ddimatos <[email protected]> * Merged release into dev * fixed test case * Fixed mvs raw test --------- Signed-off-by: ddimatos <[email protected]> Co-authored-by: Fernando Flores <[email protected]>
…1827) * Change flag used to run specific test * Add more env vars needed to run tests * Add verbose option to ac_test * Add mark and stop options to ac_test * Refactor pytest call Also changes how verbosity is handled, as well as adds printing of each pytest command run. * Update config to support new way of handling env vars in tests * Add profile option to ac_lint * Add support to run multiple files in ac_test * Change boolean options to flags Options `debug` (ac_test, test_concurrent) and `stop` (ac_test) can be now used simply as flags, without the need to add a `"true"` string after the option. * Document and clean up arg parser * Update more boolean options to be flags * Refactor pytest call * Add option 'volumes' to ac_test * Add user option and tweak verbosity * Add ac-test-required command * Add changelog fragment
… API (#1831) * Replace calls to cp for dcp * Replace copy functions in copy.py * Replace copy calls in modules * Fix typo * Fix return statement * Add changelog fragment * Fix sanity issues
fernandofloresg
force-pushed
the
dev
branch
2 times, most recently
from
2660c02 to
f5376bf
Compare
|
Please check why some fragments are being added, maybe the branch has diverted a bit from dev |
Done, it looks like it just needed to merge recent changes in dev. |
SUMMARY
Fixes #1198.
ISSUE TYPE
COMPONENT NAME
ADDITIONAL INFORMATION
This adds a new option
autoescapeto all the modules that currently support templates. Its default value isTruejust to err on the side of caution, but it allows users to disable autoescaping whenever they need to.