security(giskard-agents)!: opt-in Jinja parsing for Workflow.chat#2346
Merged
kevinmessiaen merged 7 commits intomainfrom Apr 3, 2026
Merged
Conversation
Plain strings passed to chat() are appended as literal Message content by default, avoiding server-side template injection when user input is forwarded to the model. Use as_template=True or MessageTemplate for Jinja-rendered strings. BREAKING CHANGE: str arguments to ChatWorkflow.chat() and BaseGenerator.chat() are no longer parsed as Jinja2 templates unless as_template=True. Refs: ENG-1488 Also sync uv.lock with current workspace package versions. Made-with: Cursor
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates the chat() method to treat strings as literal text by default, introducing an as_template parameter to explicitly enable Jinja2 templating. This change is applied to both BaseGenerator and ChatWorkflow classes and is accompanied by documentation updates and test adjustments. Feedback suggests enhancing the docstrings for these methods by adding missing parameter descriptions for role and as_template to ensure consistency and completeness.
Add a Parameters section to ChatWorkflow.chat. Document role in BaseGenerator.chat for consistency. Made-with: Cursor
mattbit
reviewed
Mar 31, 2026
| role : Role, default "user" | ||
| The role for the message, used when ``message`` is a string. | ||
| as_template : bool, default False | ||
| When True, parse a string ``message`` as a Jinja2 template. |
Member
There was a problem hiding this comment.
Let's warn about the security implications of this in the docstring.
…ve-automatic-conversion-to
davidberenstein1957
approved these changes
Apr 2, 2026
Member
davidberenstein1957
left a comment
There was a problem hiding this comment.
Can be merged, but these changes should also be represented in the docs.
…ve-automatic-conversion-to
…ve-automatic-conversion-to
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Plain strings passed to chat() are appended as literal Message content by default, avoiding server-side template injection when user input is forwarded to the model. Use as_template=True or MessageTemplate for Jinja-rendered strings.
BREAKING CHANGE: str arguments to ChatWorkflow.chat() and BaseGenerator.chat() are no longer parsed as Jinja2 templates unless as_template=True.
Refs: ENG-1488
Also sync uv.lock with current workspace package versions.