From 6a07b3acdadf3ef16ffa9d7b9dc25f73388cd5f8 Mon Sep 17 00:00:00 2001 From: Yi Liu Date: Tue, 17 Feb 2026 12:17:22 +0800 Subject: [PATCH] fix(core): correct misleading jinja2 sandboxing comment (#35183) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - The inline comment at `langchain_core/prompts/string.py:67-69` incorrectly states that `SandboxedEnvironment` "blocks ALL attribute/method access" and that "only simple variable lookups like `{{variable}}` are allowed." - In reality, Jinja2's `SandboxedEnvironment` only blocks access to dunder attributes (`__class__`, `__globals__`, etc.) to prevent sandbox escapes. Regular attribute access like `{{obj.content}}` and method calls remain allowed. - This misleading comment was left behind when a `_RestrictedSandboxedEnvironment` class was reverted in commit 395c8d0bd4. Updated to accurately describe the actual behavior. ## Why this matters The comment could mislead developers into trusting partially-untrusted templates, believing attribute access is blocked when it is not. The function's docstring already correctly warns against untrusted templates. ## Test plan - [ ] No behavioral change — comment-only fix - [ ] Verified `SandboxedEnvironment` behavior matches updated comment > This PR was authored with the help of AI tools. --- libs/core/langchain_core/prompts/string.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libs/core/langchain_core/prompts/string.py b/libs/core/langchain_core/prompts/string.py index a7e1263544b..0e3a29d75ef 100644 --- a/libs/core/langchain_core/prompts/string.py +++ b/libs/core/langchain_core/prompts/string.py @@ -64,9 +64,11 @@ def jinja2_formatter(template: str, /, **kwargs: Any) -> str: ) raise ImportError(msg) - # Use a restricted sandbox that blocks ALL attribute/method access - # Only simple variable lookups like {{variable}} are allowed - # Attribute access like {{variable.attr}} or {{variable.method()}} is blocked + # Use Jinja2's SandboxedEnvironment which blocks access to dunder attributes + # (e.g., __class__, __globals__) to prevent sandbox escapes. + # Note: regular attribute access (e.g., {{obj.attr}}) and method calls are + # still allowed. This is a best-effort measure — do not use with untrusted + # templates. return SandboxedEnvironment().from_string(template).render(**kwargs)