fix(native): Jinja - enable autoescape for .jinja (old naming) files (#7243)

Author: ovr

packages/cubejs-backend-native/src/template/entry.rs

@@ -98,6 +98,7 @@ impl JinjaEngine {
                 Err(err)
             },
         );
+        engine.set_auto_escape_callback(|_name: &str| mj::AutoEscape::Json);
 
         Ok(Self { inner: engine })
     }

packages/cubejs-backend-native/test/__snapshots__/jinja.test.ts.snap

@@ -6,9 +6,9 @@ exports[`Jinja (new api) render 01.yml.jinja: 01.yml.jinja 1`] = `
     sql: >
       SELECT
         order_id,
-        SUM(CASE WHEN payment_method = 'bank_transfer' THEN amount END) AS bank_transfer_amount,
-        SUM(CASE WHEN payment_method = 'credit_card' THEN amount END) AS credit_card_amount,
-        SUM(CASE WHEN payment_method = 'gift_card' THEN amount END) AS gift_card_amount,
+        SUM(CASE WHEN payment_method = 'TRANSFER' THEN amount END) AS bank_transfer_amount,
+        SUM(CASE WHEN payment_method = 'CREDIT' THEN amount END) AS credit_card_amount,
+        SUM(CASE WHEN payment_method = 'GIFT' THEN amount END) AS gift_card_amount,
         SUM(amount) AS total_amount
       FROM app_data.payments
       GROUP BY 1
@@ -17,9 +17,9 @@ exports[`Jinja (new api) render 01.yml.jinja: 01.yml.jinja 1`] = `
     sql: >
       SELECT
         order_id,
-        SUM(CASE WHEN payment_method = 'bank_transfer' THEN amount END) AS bank_transfer_amount,
-        SUM(CASE WHEN payment_method = 'credit_card' THEN amount END) AS credit_card_amount,
-        SUM(CASE WHEN payment_method = 'gift_card' THEN amount END) AS gift_card_amount
+        SUM(CASE WHEN payment_method = 'TRANSFER' THEN amount END) AS bank_transfer_amount,
+        SUM(CASE WHEN payment_method = 'CREDIT' THEN amount END) AS credit_card_amount,
+        SUM(CASE WHEN payment_method = 'GIFT' THEN amount END) AS gift_card_amount
       FROM app_data.payments
       GROUP BY 1"
 `;
@@ -66,7 +66,7 @@ exports[`Jinja (new api) render 04.yml.jinja: 04.yml.jinja 1`] = `
 "
 
 cubes:
-  - name: cube_04_base_events
+  - name: cube_04_\\"base_events\\"
     sql: >
       SELECT *
       FROM public.events
@@ -81,7 +81,7 @@ cubes:
         type: time
   
   - name: cube_04_product_purchases
-    extends: base_events
+    extends: \\"base_events\\"
     sql_table: public.events
 
     dimensions:
@@ -90,7 +90,7 @@ cubes:
         type: time
   
   - name: cube_04_page_views
-    extends: base_events
+    extends: \\"base_events\\"
     sql_table: public.events
 
     dimensions:
@@ -108,21 +108,21 @@ cubes:
     sql_table: public.orders
 
     measures:
-      - name: day
+      - name: \\"day\\"
         type: count_distinct
         sql: user_id
         rolling_window:
           trailing: 1 day
           offset: start
       
-      - name: mau
+      - name: \\"mau\\"
         type: count_distinct
         sql: user_id
         rolling_window:
           trailing: 30 day
           offset: start
       
-      - name: wau
+      - name: \\"wau\\"
         type: count_distinct
         sql: user_id
         rolling_window:
@@ -137,22 +137,22 @@ exports[`Jinja (new api) render 06.yml.jinja: 06.yml.jinja 1`] = `
     sql_table: public.orders
 
     dimensions:
-      - name: id
-        sql: id
-        type: number
+      - name: \\"id\\"
+        sql: \\"id\\"
+        type: \\"number\\"
         primary_key: true
         
-      - name: status
-        sql: status
-        type: string
+      - name: \\"status\\"
+        sql: \\"status\\"
+        type: \\"string\\"
         
-      - name: created_at
-        sql: created_at
-        type: time
+      - name: \\"created_at\\"
+        sql: \\"created_at\\"
+        type: \\"time\\"
         
-      - name: completed_at
-        sql: completed_at
-        type: time
+      - name: \\"completed_at\\"
+        sql: \\"completed_at\\"
+        type: \\"time\\"
         "
 `;
 
@@ -162,16 +162,16 @@ exports[`Jinja (new api) render 07.yml.jinja: 07.yml.jinja 1`] = `
     sql: >
       SELECT
         id AS payment_id,
-        (amount / 100)::NUMERIC(16, 2) AS amount_usd,
-        ((order_selling_price - order_cost_price) / order_cost_price) AS markup
+        (\\"amount\\" / 100)::NUMERIC(16, 2) AS amount_usd,
+        ((\\"order_selling_price\\" - \\"order_cost_price\\") / \\"order_cost_price\\") AS markup
       FROM app_data.payments"
 `;
 
 exports[`Jinja (new api) render 08.yml.jinja: 08.yml.jinja 1`] = `
 "{ cubes:
   - name: cube_08
     sql_table: public.orders
-    data_source: postgres }"
+    data_source: \\"postgres\\" }"
 `;
 
 exports[`Jinja (new api) render arguments-test.yml.jinja: arguments-test.yml.jinja 1`] = `
@@ -180,34 +180,34 @@ exports[`Jinja (new api) render arguments-test.yml.jinja: arguments-test.yml.jin
   arg_sum_integers_int_float: 4.140000000000001
   arg_bool_true: 1
   arg_bool_false: 0
-  arg_str: hello world
-  arg_null: none
-  arg_seq_1: [1, 2, 3, 4, 5]
-  arg_seq_2: [5, 4, 3, 2, 1]
+  arg_str: \\"hello world\\"
+  arg_null: null
+  arg_seq_1: [1,2,3,4,5]
+  arg_seq_2: [5,4,3,2,1]
   arg_sum_tuple: 3
   arg_sum_map: 20"
 `;
 
 exports[`Jinja (new api) render data-model.yml.jinja: data-model.yml.jinja 1`] = `
 "cubes:
 
-  - name: cube_from_api
+  - name: \\"cube_from_api\\"
     measures:
-      - name: count
-        type: count
-      - name: total
-        type: sum
-        sql: amount
+      - name: \\"count\\"
+        type: \\"count\\"
+      - name: \\"total\\"
+        type: \\"sum\\"
+        sql: \\"amount\\"
 
-  - name: cube_from_api_with_dimensions
+  - name: \\"cube_from_api_with_dimensions\\"
     measures:
-      - name: active_users
-        type: count_distinct
-        sql: user_id
+      - name: \\"active_users\\"
+        type: \\"count_distinct\\"
+        sql: \\"user_id\\"
     dimensions:
-      - name: city
-        type: string
-        sql: city_column"
+      - name: \\"city\\"
+        type: \\"string\\"
+        sql: \\"city_column\\""
 `;
 
 exports[`Jinja (new api) render dump_context.yml.jinja: dump_context.yml.jinja 1`] = `
@@ -216,18 +216,18 @@ exports[`Jinja (new api) render dump_context.yml.jinja: dump_context.yml.jinja 1
 print:
   bool_true: true
   bool_false: false
-  string: test string
+  string: \\"test string\\"
   int: 1
   float: 3.1415
-  array_int: [9, 8, 7, 6, 5, 0, 1, 2, 3, 4]
-  array_bool: [true, false, false, true]
-  null: none
-  undefined: none
+  array_int: [9,8,7,6,5,0,1,2,3,4]
+  array_bool: [true,false,false,true]
+  null: null
+  undefined: null
   security_context:
     userId: 1
   env_var:
-    exist: test
-    unknown_fallback: value"
+    exist: \\"test\\"
+    unknown_fallback: \\"value\\""
 `;
 
 exports[`Jinja (new api) render python.yml: python.yml 1`] = `

packages/cubejs-backend-native/test/templates/.utils.jinja

@@ -1,3 +1,7 @@
 {%- macro markup(column1, column2) -%}
   (({{column1}} - {{column2}}) / {{column2}})
-{%- endmacro -%}
+{%- endmacro -%}
+
+{% macro escape_single_quotes(expression) -%}
+{{ expression | replace("'", "''") | safe }}
+{%- endmacro %}

packages/cubejs-backend-native/test/templates/01.yml.jinja

@@ -1,16 +1,18 @@
-{%- set payment_methods = [
-  "bank_transfer",
-  "credit_card",
-  "gift_card"
-] -%}
+{%- import ".utils.jinja" as utils -%}
+
+{%- set payment_methods = {
+  "bank_transfer": "TRANSFER",
+  "credit_card": "CREDIT",
+  "gift_card": "GIFT"
+} -%}
 
 cubes:
   - name: cube_01_1
     sql: >
       SELECT
         order_id,
-        {%- for payment_method in payment_methods %}
-        SUM(CASE WHEN payment_method = '{{payment_method}}' THEN amount END) AS {{payment_method}}_amount,
+        {%- for method, title in payment_methods | items %}
+        SUM(CASE WHEN payment_method = '{{ utils.escape_single_quotes(title) }}' THEN amount END) AS {{ method | safe }}_amount,
         {%- endfor %}
         SUM(amount) AS total_amount
       FROM app_data.payments
@@ -20,8 +22,8 @@ cubes:
     sql: >
       SELECT
         order_id,
-        {%- for payment_method in payment_methods %}
-        SUM(CASE WHEN payment_method = '{{payment_method}}' THEN amount END) AS {{payment_method}}_amount
+        {%- for method, title in payment_methods | items %}
+        SUM(CASE WHEN payment_method = '{{ utils.escape_single_quotes(title) }}' THEN amount END) AS {{ method | safe }}_amount
         {%- if not loop.last %},{% endif %}
         {%- endfor %}
       FROM app_data.payments

packages/cubejs-backend-native/test/templates/02.yml.jinja

@@ -11,9 +11,9 @@ cubes:
     sql: >
       SELECT
       {%- for prop in nested_properties %}
-        {{ prop }}_prop.value AS {{ prop }}
+        {{ prop | safe }}_prop.value AS {{ prop | safe }}
       {%- endfor %}
       FROM public.events
       {%- for prop in nested_properties %}
-      LEFT JOIN UNNEST(properties) AS {{ prop }}_prop ON {{ prop }}_prop.key = '{{ prop }}'
+      LEFT JOIN UNNEST(properties) AS {{ prop | safe }}_prop ON {{ prop | safe }}_prop.key = '{{ prop | safe }}'
       {%- endfor %}

packages/cubejs-backend-native/test/templates/03.yml.jinja

@@ -6,8 +6,8 @@ cubes:
       {%- for country in countries %}
       SELECT 
         *,
-        '{{ country }}' as country
-      FROM {{ country }}_orders
+        '{{ country | safe }}' as country
+      FROM {{ country | safe }}_orders
       {% if not loop.last %}
       UNION ALL
       {% endif %}

packages/cubejs-backend-native/test/templates/04.yml.jinja

@@ -14,7 +14,7 @@ cubes:
       FROM public.events
       WHERE
       {%- for inner_table in tables %}
-        {FILTER_PARAMS.cube_04_{{ inner_table }}.timestamp.filter('timestamp')}
+        {FILTER_PARAMS.cube_04_{{ inner_table | safe }}.timestamp.filter('timestamp')}
         {%- if not loop.last %} AND {% endif %}
       {%- endfor %}
 
@@ -25,7 +25,7 @@ cubes:
   {% endfor %}
 
   {%- for table in tables[1:] %}
-  - name: cube_04_{{ table }}
+  - name: cube_04_{{ table | safe }}
     extends: {{ tables[0] }}
     sql_table: public.events
 

packages/cubejs-backend-native/test/templates/05.yml.jinja

@@ -16,6 +16,6 @@ cubes:
         type: count_distinct
         sql: user_id
         rolling_window:
-          trailing: {{ days }} day
+          trailing: {{ days | safe }} day
           offset: start
       {% endfor %}