Fix PyPI package source for v1.1.0

[sugatoray]

Use jinja2 autoescaping for security purposes

• add select_autoescape(enabled_extensions=('html',)) to line-114.
  

  flytekit/flytekit/deck/deck.py

  Lines 112 to 115 in a968a5a

  	root = os.path.dirname(os.path.abspath(__file__))
  	templates_dir = os.path.join(root, "html")
  	env = Environment(loader=FileSystemLoader(templates_dir))
  	template = env.get_template("template.html")

  • See: flytekit v1.1.0 conda-forge/flytekit-feedstock#14 (comment)

  # 🔥 include autoescaping for security purposes
  # sources:
  # - https://jinja.palletsprojects.com/en/3.0.x/api/#autoescaping
  # - https://stackoverflow.com/a/38642558/8474894 (see in comments)
  # - https://stackoverflow.com/a/68826578/8474894

• Fix non-inclusion of flytekit/deck/html/template.html in v1.1.0: Add MANIFEST.in to fix this bug.

  • The setup.py file tries to package template.html from the root of the repository. But, it has been moved to flytekit/deck/html/template.html.
    

    flytekit/setup.py

    Line 25 in a968a5a

    package_data={"": ["template.html"]},

  • There is no template.html at the root of the package.

    

  • The PyPI package (v1.1.0) does not have any template.html.

  

  • The PyPI package (v1.1.0) also does not include any template.html inside flytekit/deck/html directory.

  

Type

• Bug Fix: 🟠
• Security vulnerability

Are all requirements met?

• Code completed
• Smoke tested
• Unit tests added
• Code documentation added
• Any pending items have an associated Issue

Complete description

How did you fix the bug, make the feature etc. Link to any design docs etc

Tracking Issue

https://github.com/flyteorg/flyte/issues/

[welcome]

Thank you for opening this pull request! 🙌

These tips will help get your PR across the finish line:

• Most of the repos have a PR template; if not, fill it out to the best of your knowledge.
• Sign off your commits (Reference: DCO Guide).

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.93%. Comparing base (a968a5a) to head (032f1ad).
Report is 1027 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1088      +/-   ##
==========================================
+ Coverage   86.67%   86.93%   +0.25%     
==========================================
  Files         269      275       +6     
  Lines       25074    25448     +374     
  Branches     2826     2862      +36     
==========================================
+ Hits        21734    22123     +389     
+ Misses       2871     2847      -24     
- Partials      469      478       +9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pingsutw]

@sugatoray It seems like the dataframe doesn't be rendered correctly if using autoescaping, check the example below

import pandas as pd
from flytekit import task, workflow

@task
def t1() -> pd.DataFrame:
    return pd.DataFrame({"Name": ["Tom", "Joseph"], "Age": [20, 22]})

@workflow
def wf() -> pd.DataFrame:
    return t1()

wf()

The correct output should be like

[wild-endeavor]

hey @sugatoray - would you mind taking a look at the issue kevin pointed out here please? There's no unit test to capture this yet unf. he was testing on a demo cluster i think.

[sugatoray]

Interesting! Let me look into it.

[pingsutw]

@sugatoray You're able to reproduce it locally as well. check this example

[sugatoray]

Some Notes

The following is taken from Flask. It provides more clarity on what autoescaping means in Jinja2 and how to allow expected html tags safely.

I would like to try them in the following order:

1. Use the {% autoescape %} block while rendering the template.

   {% autoescape false %}
       <p>autoescaping is disabled here
       <p>{{ will_not_be_escaped }}
   {% endautoescape %}

2. Use {{ variable | safe }} inside the template (template.html) to specify each variable as safe.

The other alternative will be to pass the generated html template into IPython.display.HTML() function. (This is just a hunch; am not sure if this will work or not)

source: https://flask.palletsprojects.com/en/2.1.x/templating/#controlling-autoescaping

Other Notes

• https://jinja.palletsprojects.com/en/3.0.x/templates/#jinja-filters.escape
• https://jinja.palletsprojects.com/en/3.0.x/templates/#autoescape-overrides

[wild-endeavor]

did this work? tests are passing but lint is now complaining. would it be possible to codify the original issue pingsutw raised into a unit test btw?

[wild-endeavor]

@sugatoray were you able to test this? does the safe render things correctly again?
Thank you.

[wild-endeavor]

@sugatoray mind giving me write access to your fork so i can clean up the lint error?

[sugatoray]

@wild-endeavor Sorry about the long silence. I have not had a chance to test if the same rendering error is still happening.

Please let me know what I need to do to give you access to clean up the linting errors.

[pingsutw]

I just tested it, and render stuff looks good to me. Thank you @sugatoray

[welcome]

Congrats on merging your first pull request! 🎉