fix(core): undo jinja2 restrictions (#34072)

Reverting jinja2 restrictions that made the feature unusable
2026-06-09 10:17:00 +00:00 · 2025-12-09 09:46:36 -05:00
parent 34d31b8394
commit 395c8d0bd4
2 changed files with 2 additions and 124 deletions
--- a/libs/core/langchain_core/prompts/string.py
+++ b/libs/core/langchain_core/prompts/string.py
@@ -20,65 +20,8 @@ if TYPE_CHECKING:

 try:
    from jinja2 import meta
-    from jinja2.exceptions import SecurityError
    from jinja2.sandbox import SandboxedEnvironment

-    class _RestrictedSandboxedEnvironment(SandboxedEnvironment):
-        """A more restrictive Jinja2 sandbox that blocks all attribute/method access.
-
-        This sandbox only allows simple variable lookups, no attribute or method access.
-        This prevents template injection attacks via methods like parse_raw().
-        """
-
-        def is_safe_attribute(self, _obj: Any, _attr: str, _value: Any) -> bool:
-            """Block ALL attribute access for security.
-
-            Only allow accessing variables directly from the context dict,
-            no attribute access on those objects.
-
-            Args:
-                _obj: The object being accessed (unused, always blocked).
-                _attr: The attribute name (unused, always blocked).
-                _value: The attribute value (unused, always blocked).
-
-            Returns:
-                False - all attribute access is blocked.
-            """
-            # Block all attribute access
-            return False
-
-        def is_safe_callable(self, _obj: Any) -> bool:
-            """Block all method calls for security.
-
-            Args:
-                _obj: The object being checked (unused, always blocked).
-
-            Returns:
-                False - all callables are blocked.
-            """
-            return False
-
-        def getattr(self, obj: Any, attribute: str) -> Any:
-            """Override getattr to block all attribute access.
-
-            Args:
-                obj: The object.
-                attribute: The attribute name.
-
-            Returns:
-                Never returns.
-
-            Raises:
-                SecurityError: Always, to block attribute access.
-            """
-            msg = (
-                f"Access to attributes is not allowed in templates. "
-                f"Attempted to access '{attribute}' on {type(obj).__name__}. "
-                f"Use only simple variable names like {{{{variable}}}} "
-                f"without dots or methods."
-            )
-            raise SecurityError(msg)
-
    _HAS_JINJA2 = True
 except ImportError:
    _HAS_JINJA2 = False
@@ -121,7 +64,7 @@ def jinja2_formatter(template: str, /, **kwargs: Any) -> str:
    # Use a restricted sandbox that blocks ALL attribute/method access
    # Only simple variable lookups like {{variable}} are allowed
    # Attribute access like {{variable.attr}} or {{variable.method()}} is blocked
-    return _RestrictedSandboxedEnvironment().from_string(template).render(**kwargs)
+    return SandboxedEnvironment().from_string(template).render(**kwargs)


 def validate_jinja2(template: str, input_variables: list[str]) -> None:
@@ -156,7 +99,7 @@ def _get_jinja2_variables_from_template(template: str) -> set[str]:
            "Please install it with `pip install jinja2`."
        )
        raise ImportError(msg)
-    env = _RestrictedSandboxedEnvironment()
+    env = SandboxedEnvironment()
    ast = env.parse(template)
    return meta.find_undeclared_variables(ast)