Skip to content

Replace author + organize CLI #907

Merged
Eyal-Danieli merged 2 commits into
masterfrom
development
Oct 5, 2025
Merged

Replace author + organize CLI #907
Eyal-Danieli merged 2 commits into
masterfrom
development

Conversation

@Eyal-Danieli
Copy link
Copy Markdown
Member

@Eyal-Danieli Eyal-Danieli commented Oct 5, 2025
edited
Loading

danielperezz and others added 2 commits September 28, 2025 15:43
@danielperezz
replace author to Iguazio manually (#905)
72d5485
@danielperezz @Eyal-Danieli
Organize CLI directory + new CLI for generating item.yaml files (#906)
bbcf638 
* create a CLI for generating item.yaml and organize the CLI directory

* modify comments to module

* PR fixes

* Update cli/common/generate_item_yaml.py

Co-authored-by: Eyal Danieli <eyal_danieli@mckinsey.com>

---------

Co-authored-by: Eyal Danieli <eyal_danieli@mckinsey.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Oct 5, 2025
View reviewed changes
Comment thread cli/common/generate_item_yaml.py
}

# Load and render template
env = Environment(loader=FileSystemLoader("."))

Check failure

Code scanning / CodeQL

Jinja2 templating with autoescape=False High

Using jinja2 templates with autoescape=False can potentially allow XSS attacks.

Copilot Autofix

AI 8 months ago

To resolve the issue, we should explicitly enable autoescaping when creating the Jinja2 Environment. The best practice is to use autoescape=select_autoescape([...]), allowing Jinja2 to select auto-escapers for formats where it makes sense (such as HTML or XML), and disable for others (like YAML). However, since YAML is not recognized by select_autoescape by default, specifying autoescape=True could unintentionally escape all fields, leading to undesirable results in the YAML output (e.g., character encoding in strings). Instead, adopting autoescape=select_autoescape() is the recommended approach, as it will safely apply autoescaping only if/when templates change to support formats like HTML/XML. To use select_autoescape, we need to import it explicitly from Jinja2.

Therefore:

  • Add from jinja2 import select_autoescape to the imports.
  • Change the Environment(...) constructor to pass autoescape=select_autoescape().

All changes will be in cli/common/generate_item_yaml.py.

Suggested changeset 1
cli/common/generate_item_yaml.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/cli/common/generate_item_yaml.py b/cli/common/generate_item_yaml.py
--- a/cli/common/generate_item_yaml.py
+++ b/cli/common/generate_item_yaml.py
@@ -2,7 +2,7 @@
 from pathlib import Path
 from datetime import datetime
 import click
-from jinja2 import Environment, FileSystemLoader
+from jinja2 import Environment, FileSystemLoader, select_autoescape
 
 TEMPLATES = {
     "function": "cli/utils/function_item_template.yaml.j2",
@@ -43,7 +43,7 @@
     }
 
     # Load and render template
-    env = Environment(loader=FileSystemLoader("."))
+    env = Environment(loader=FileSystemLoader("."), autoescape=select_autoescape())
     template = env.get_template(TEMPLATES[type])
     rendered = template.render(params)
 
EOF
@@ -2,7 +2,7 @@
from pathlib import Path
from datetime import datetime
import click
from jinja2 import Environment, FileSystemLoader
from jinja2 import Environment, FileSystemLoader, select_autoescape

TEMPLATES = {
"function": "cli/utils/function_item_template.yaml.j2",
@@ -43,7 +43,7 @@
}

# Load and render template
env = Environment(loader=FileSystemLoader("."))
env = Environment(loader=FileSystemLoader("."), autoescape=select_autoescape())
template = env.get_template(TEMPLATES[type])
rendered = template.render(params)

Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
@Eyal-Danieli Eyal-Danieli merged commit c44b3e8 into master Oct 5, 2025
82 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Eyal-Danieli @github-advanced-security @danielperezz