From 8cf29eb71b3586b7a2a3525c078028f8bd4fd56e Mon Sep 17 00:00:00 2001
From: Liangliang He <lliang.he@gmail.com>
Date: Mon, 4 Nov 2019 11:09:57 +0800
Subject: [PATCH] Force jinja escape quoted string to prevent security issues
 when using third party models

---
 mace/python/tools/operator.jinja2          | 3 ++-
 mace/python/tools/str2vec_maps.cc.jinja2   | 4 ++--
 tools/python/template/model.jinja2         | 2 +-
 tools/python/template/operator.jinja2      | 3 ++-
 tools/python/template/tensor_source.jinja2 | 3 ++-
 5 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/mace/python/tools/operator.jinja2 b/mace/python/tools/operator.jinja2
index 8ef5bbfc5..c1cea9a68 100644
--- a/mace/python/tools/operator.jinja2
+++ b/mace/python/tools/operator.jinja2
@@ -64,7 +64,8 @@ namespace {{tag}} {
 {% for i in range(start, end) %}
 
 void CreateOperator{{i}}(mace::OperatorDef *op) {
-  MACE_LATENCY_LOGGER(2, "Create operator {{ net.op[i].name }}");
+  MACE_LATENCY_LOGGER(2, "Create operator",
+    {{ net.op[i].name|default("undefined")|tojson }});
 
   mace::Argument *arg = nullptr;
   op->mutable_arg()->Reserve({{ net.op[i].arg|length }});
diff --git a/mace/python/tools/str2vec_maps.cc.jinja2 b/mace/python/tools/str2vec_maps.cc.jinja2
index d88347172..ebb27b385 100644
--- a/mace/python/tools/str2vec_maps.cc.jinja2
+++ b/mace/python/tools/str2vec_maps.cc.jinja2
@@ -25,10 +25,10 @@ namespace {{tag}} {
 const std::map<std::string, ClProgramInfo> {{variable_name}} = {
 {% for key, encrypted_code in maps.items() %}
   {
-    "{{key}}", {
+    {{key|tojson}}, {
       {
         {%- for header in encrypted_code['headers'] -%}
-        "{{header}}",
+        {{header|tojson}},
         {%- endfor -%}
       },
       {
diff --git a/tools/python/template/model.jinja2 b/tools/python/template/model.jinja2
index 494b09860..68247fd23 100644
--- a/tools/python/template/model.jinja2
+++ b/tools/python/template/model.jinja2
@@ -134,7 +134,7 @@ void CreateTensors(NetDef *net_def) {
 namespace {{tag}} {
 
 MACE_API const std::shared_ptr<NetDef> CreateNet() {
-  MACE_LATENCY_LOGGER(1, "Create net {{ net.name }}");
+  MACE_LATENCY_LOGGER(1, "Create net ", {{ net.name|default("undefined")|tojson }});
 
   std::shared_ptr<NetDef> net_def(new NetDef());
 
diff --git a/tools/python/template/operator.jinja2 b/tools/python/template/operator.jinja2
index 8ef5bbfc5..c899f3f3c 100644
--- a/tools/python/template/operator.jinja2
+++ b/tools/python/template/operator.jinja2
@@ -64,7 +64,8 @@ namespace {{tag}} {
 {% for i in range(start, end) %}
 
 void CreateOperator{{i}}(mace::OperatorDef *op) {
-  MACE_LATENCY_LOGGER(2, "Create operator {{ net.op[i].name }}");
+  MACE_LATENCY_LOGGER(2, "Create operator ",
+    {{ net.op[i].name|default("undefined")|tojson }});
 
   mace::Argument *arg = nullptr;
   op->mutable_arg()->Reserve({{ net.op[i].arg|length }});
diff --git a/tools/python/template/tensor_source.jinja2 b/tools/python/template/tensor_source.jinja2
index f281e88a3..ccbc55784 100644
--- a/tools/python/template/tensor_source.jinja2
+++ b/tools/python/template/tensor_source.jinja2
@@ -23,7 +23,8 @@ namespace mace {
 namespace {{tag}} {
 
 void CreateTensor{{tensor_id}}(mace::ConstTensor *const_tensor) {
-  MACE_LATENCY_LOGGER(2, "Create tensor {{ tensor.name }}");
+  MACE_LATENCY_LOGGER(2, "Create tensor ",
+    {{ tensor.name|default("undefined")|tojson }});
   const_tensor->set_name({{ tensor.name|tojson }});
   const_tensor->set_offset({{ tensor.offset }});
   const_tensor->set_data_size({{ tensor.data_size }});