[BACKPORT] 1.3.latest 7630 (#8605)

* Exclude some profile fields from Jinja rendering when they are not valid Jinja. (#7630) * CT-2583: Exclude some profile fields from Jinja rendering. * CT-2583: Add functional test. * CT-2583: Change approach to password jinja detection * CT-2583: Extract string constant and add additional checks * CT-2583: Improve unit test coverage * Exclude some profile fields from Jinja rendering when they are not valid Jinja. (#7630) * CT-2583: Exclude some profile fields from Jinja rendering. * CT-2583: Add functional test. * CT-2583: Change approach to password jinja detection * CT-2583: Extract string constant and add additional checks * CT-2583: Improve unit test coverage * Remove unneeded unit test. --------- Co-authored-by: Peter Webb <[email protected]>
dbt-labs · Sep 19, 2023 · 43ec442 · 43ec442
1 parent 84860e5
commit 43ec442
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/.changes/unreleased/Fixes-20230515-142851.yaml b/.changes/unreleased/Fixes-20230515-142851.yaml
@@ -0,0 +1,6 @@
+kind: Fixes
+body: Exclude password fields from Jinja rendering.
+time: 2023-05-15T14:28:51.400321-04:00
+custom:
+  Author: peterallenwebb
+  Issue: "7629"
diff --git a/core/dbt/config/renderer.py b/core/dbt/config/renderer.py
@@ -181,7 +181,17 @@ def render_value(self, value: Any, keypath: Optional[Keypath] = None) -> Any:
         # First, standard Jinja rendering, with special handling for 'secret' environment variables
         # "{{ env_var('DBT_SECRET_ENV_VAR') }}" -> "$$$DBT_SECRET_START$$$DBT_SECRET_ENV_{VARIABLE_NAME}$$$DBT_SECRET_END$$$"
         # This prevents Jinja manipulation of secrets via macros/filters that might leak partial/modified values in logs
-        rendered = super().render_value(value, keypath)
+
+        try:
+            rendered = super().render_value(value, keypath)
+        except Exception as ex:
+            if keypath and "password" in keypath:
+                # Passwords sometimes contain jinja-esque characters, but we
+                # don't want to render them if they aren't valid jinja.
+                rendered = value
+            else:
+                raise ex
+
         # Now, detect instances of the placeholder value ($$$DBT_SECRET_START...DBT_SECRET_END$$$)
         # and replace them with the actual secret value
         if SECRET_ENV_PREFIX in str(rendered):