masci / banks / 24994328106
95%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 24
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 94.769% (+0.006%) from 94.763%
24994328106

push

github

web-flow 
fix: prevent SSTI by switching to SandboxedEnvironment (#74)

* docs: warn that prompt templates are trusted code

Templates are rendered in an unsandboxed Jinja2 environment, so passing
untrusted user input as template text allows arbitrary code execution.
Document the safe pattern (variables) vs the unsafe one (raw user strings).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: use SandboxedEnvironment to prevent SSTI

Switch from jinja2.Environment to jinja2.sandbox.SandboxedEnvironment.
This blocks access to dunder attributes in templates, preventing SSTI
payloads from reaching __builtins__ and executing arbitrary code.

All existing tests pass unchanged. Add a regression test that verifies
the canonical SSTI payload raises an exception.

Also document that templates are trusted code and that user-supplied
strings must never be passed as template text.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* fix: tighten SSTI test to assert SecurityError and update docs to reflect SandboxedEnvironment

Agent-Logs-Url: https://github.com/masci/banks/sessions/de6273d5-80bf-468c-8853-feeb273a7294

Co-authored-by: masci <7241+masci@users.noreply.github.com>

* chore: remove e2e tests and Python 3.9 from CI

e2e tests require an OpenAI API key that is no longer valid.
Python 3.9 is EOL (Oct 2025) and newer virtualenv drops support for it.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: masci <7241+masci@users.noreply.github.com>

102 of 108 branches covered (94.44%)

Branch coverage included in aggregate %.

2 of 2 new or added lines in 1 file covered. (100.0%)

840 of 886 relevant lines covered (94.81%)

0.95 hits per line

Jobs
ID Job ID Ran Files Coverage
1 24994328106.1 24
94.77
 GitHub Action Run
Source Files on build 24994328106