Question: Jinja2 package sandboxing

[bdashore3]

Hi there,
I was looking into the @huggingface/jinja package as an alternative to nunjucks and was wondering if it's safe to use with user-defined templates. The main reason I'm asking this is because of a warning on the nunjucks website:

nunjucks does not sandbox execution so it is not safe to run user-defined templates or inject user-defined content into template definitions. On the server, you can expose attack vectors for accessing sensitive data and remote code execution. On the client, you can expose cross-site scripting vulnerabilities even for precompiled templates (which can be mitigated with a strong CSP). See this issue for more information.

This is not a huge concern at the moment based on how I handle templates in my software, but I may need to make the switch at some point to something more secure.

If @xenova can answer, that would be very helpful. Thanks!

[xenova]

Hi @bdashore3 👋 Indeed, @huggingface/jinja execution is sandboxed for this exact reason, so you are able to use it to parse user-defined templates.

Do note, however, that the library is not 100% feature compatible with the Jinja templating language, as it is a minimalistic re-implementation, designed specifically for chat templates.

Hopefully that answers your questions!

[bdashore3]

Thanks for the quick response @xenova. This seems very helpful for my usecase.

After looking through the package, I had a few questions/suggestions:

1. Exposing AST types: I tried to traverse the template node tree via template.parsed and can figure out the type of a statement, but I can't check/cast that statement to the appropriate type. For example, a statement with type Set can't be interpreted as a SetStatement since the type isn't exposed from the package. I can try making a PR for this.
2. Multiline set/endset: This should make it easier when setting variables that span multiple lines (Documentation). This will support tool templates such as FireFunctionV2
3. Document which filters/features are supported: Every default filter provided by jinja isn't supported in this library, so it would be helpful to new users if they knew what subset of jinja is supported in this lib.

Thanks in advance.

[xenova]

For example, a statement with type Set can't be interpreted as a SetStatement since the type isn't exposed from the package. I can try making a PR for this.

That would be great - thanks!

Multiline set/endset: This should make it easier when setting variables that span multiple lines (Documentation). This will support tool templates such as FireFunctionV2

I wasn't aware of this feature, but if it's important, feel free to open a feature request / PR! :)

Document which filters/features are supported: Every default filter provided by jinja isn't supported in this library, so it would be helpful to new users if they knew what subset of jinja is supported in this lib.

This is also a good idea, and could be a useful way to indicate to users what functionality to include in their templates (since in the past, we've seen some people use very niche behaviour of jinja that aren't necessarily supported by other jinja implementations, like minijinja. cc @Rocketknight1 for any ideas here.

[Rocketknight1]

Hi @bdashore3, yes, this is something we're thinking about. A standardized subset that we expect every library to support would simplify things, but every 3 months another model comes out with a new and wacky approach to tool calling or something, and we realize we need a feature we didn't have before!