From 8aa9ac8a0ffbe3629519f36acc5097be9bb8ded4 Mon Sep 17 00:00:00 2001 From: georgeRobertson <50412379+georgeRobertson@users.noreply.github.com> Date: Mon, 15 Dec 2025 14:53:46 +0000 Subject: [PATCH 1/3] fix: fix issue where templated error messages would not correctly format when passing in parameter values --- src/dve/core_engine/backends/metadata/reporting.py | 2 +- src/dve/core_engine/templating.py | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/dve/core_engine/backends/metadata/reporting.py b/src/dve/core_engine/backends/metadata/reporting.py index 0f2079a..cc0aed4 100644 --- a/src/dve/core_engine/backends/metadata/reporting.py +++ b/src/dve/core_engine/backends/metadata/reporting.py @@ -28,7 +28,7 @@ class BaseReportingConfig(BaseModel): """ - UNTEMPLATED_FIELDS: ClassVar[set[str]] = {"message"} + UNTEMPLATED_FIELDS: ClassVar[set[str]] = set() """Fields that should not be templated.""" emit: Optional[str] = None diff --git a/src/dve/core_engine/templating.py b/src/dve/core_engine/templating.py index 4fc39f7..b611c29 100644 --- a/src/dve/core_engine/templating.py +++ b/src/dve/core_engine/templating.py @@ -11,6 +11,16 @@ from dve.core_engine.type_hints import JSONable, TemplateVariables +class PreserveTemplateUndefined(jinja2.Undefined): + """ + Preserve the original template in instances where the value cannot be populated. Whilst this + may result in templates coming back in the FeedbackMessage object, it's more useful to know + exactly what should have been populated rather than just returning blank values. + """ + def __str__(self): + return "{{" + self._undefined_name + "}}" + + class RuleTemplateError(ValueError): """A rule template error.""" @@ -21,7 +31,8 @@ def _raise_rule_templating_error(message: str) -> NoReturn: T = TypeVar("T", bound=JSONable) -ENVIRONMENT = jinja2.Environment(autoescape=False) +# ENVIRONMENT = jinja2.Environment(autoescape=False) +ENVIRONMENT = jinja2.Environment(autoescape=False, undefined=PreserveTemplateUndefined) ENVIRONMENT.globals["repr"] = repr ENVIRONMENT.globals["str"] = str ENVIRONMENT.globals["raise"] = _raise_rule_templating_error From 686eaacc7f134334fe64822bbc028fbe2330bf8a Mon Sep 17 00:00:00 2001 From: georgeRobertson <50412379+georgeRobertson@users.noreply.github.com> Date: Mon, 15 Dec 2025 15:01:37 +0000 Subject: [PATCH 2/3] style: remove old implementation for jinja env setup --- src/dve/core_engine/templating.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/dve/core_engine/templating.py b/src/dve/core_engine/templating.py index b611c29..dc12ecb 100644 --- a/src/dve/core_engine/templating.py +++ b/src/dve/core_engine/templating.py @@ -31,7 +31,6 @@ def _raise_rule_templating_error(message: str) -> NoReturn: T = TypeVar("T", bound=JSONable) -# ENVIRONMENT = jinja2.Environment(autoescape=False) ENVIRONMENT = jinja2.Environment(autoescape=False, undefined=PreserveTemplateUndefined) ENVIRONMENT.globals["repr"] = repr ENVIRONMENT.globals["str"] = str From e4878e6c90f8c76bb4a8c18c39418238b9dc6499 Mon Sep 17 00:00:00 2001 From: georgeRobertson <50412379+georgeRobertson@users.noreply.github.com> Date: Tue, 16 Dec 2025 12:11:34 +0000 Subject: [PATCH 3/3] fix: resolve issue with jinja2 environment and security concern around autoescape handling in jinja templates --- src/dve/core_engine/templating.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/dve/core_engine/templating.py b/src/dve/core_engine/templating.py index dc12ecb..0615ba5 100644 --- a/src/dve/core_engine/templating.py +++ b/src/dve/core_engine/templating.py @@ -31,7 +31,10 @@ def _raise_rule_templating_error(message: str) -> NoReturn: T = TypeVar("T", bound=JSONable) -ENVIRONMENT = jinja2.Environment(autoescape=False, undefined=PreserveTemplateUndefined) +ENVIRONMENT = jinja2.Environment( + autoescape=jinja2.select_autoescape(default_for_string=False), + undefined=PreserveTemplateUndefined, +) ENVIRONMENT.globals["repr"] = repr ENVIRONMENT.globals["str"] = str ENVIRONMENT.globals["raise"] = _raise_rule_templating_error