Skip to content

AI junk#2202

Closed
muhamedfazalps wants to merge 1 commit into
pallets:mainfrom
muhamedfazalps:fix/validate-exported-names
Closed

AI junk#2202
muhamedfazalps wants to merge 1 commit into
pallets:mainfrom
muhamedfazalps:fix/validate-exported-names

Conversation

@muhamedfazalps

Copy link
Copy Markdown

The generated import statement in visit_Template directly interpolates module attribute names from jinja2.runtime.exported into Python code without sanitization. If an attacker can pollute these runtime lists via class pollution, they could inject arbitrary Python code.

This change adds a validation step that checks each exported name is a valid Python identifier (via str.isidentifier()) before using it in the generated import statement.

Closes #2197

…ution

The generated import statement in visit_Template directly interpolates
module attribute names from jinja2.runtime.exported into Python code
without sanitization. An attacker who can pollute these runtime lists
could inject arbitrary Python code.

Fix: validate each exported name is a valid Python identifier before
using it in the generated import.

Signed-off-by: Muhamed Fazal PS <fazaleee123cr7@gmail.com>
@davidism davidism closed this Jun 29, 2026
@davidism davidism changed the title fix: validate exported names to prevent code injection via class pollution AI junk Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

AI junk

2 participants