Skip to content

Commit

Permalink
B701: Test for not auto escaping in jinja2
Browse files Browse the repository at this point in the history
Jinja2 is a Python HTML templating system. It is typically used to build web applications, though appears in other places well, notably the Ansible automation system. When configuring the Jinja2 environment, the option to use autoescaping on input can be specified. When autoescaping is enabled, Jinja2 will filter input strings to escape any HTML content submitted via template variables. Without escaping HTML input the application becomes vulnerable to Cross Site Scripting (XSS) attacks.

Unfortunately, autoescaping is False by default. Thus this plugin test will warn on omission of an autoescape setting, as well as an explicit setting of false. A HIGH severity warning is generated in either of these scenarios.
  • Loading branch information
srevinsaju committed Sep 13, 2020
1 parent a40f95c commit ec65c5e
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 10 deletions.
8 changes: 6 additions & 2 deletions aslo4/generator.py
Original file line number Diff line number Diff line change
Expand Up @@ -808,8 +808,12 @@ def unpack_static(self, extract_dir):
for i in ('css', 'img', 'favicon', 'js'):
_dir = os.path.join(args.pull_static_css_js_html, i)
if sys.version_info.minor >= 8:
shutil.copytree(_dir, extract_dir, symlinks=True,
ignore_dangling_symlinks=True, dirs_exist_ok=True)
shutil.copytree(
_dir,
extract_dir,
symlinks=True,
ignore_dangling_symlinks=True,
dirs_exist_ok=True)
else:
if os.path.exists(extract_dir):
print("Going to remove {}".format(extract_dir))
Expand Down
18 changes: 10 additions & 8 deletions aslo4/lib/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ def git_checkout_latest_tag(path_to_git_repository):
e_code = git_rev_list_tags_max_count.wait(50)
if e_code != 0:
cprint("FATAL: Could not process `rev-list --tags` for {}".format(
path_to_git_repository
path_to_git_repository
), "red")
return 1

Expand Down Expand Up @@ -102,8 +102,8 @@ def git_checkout_latest_tag(path_to_git_repository):
if ecode != 0:
cprint("WARN: checking out {} to tag {} failed. Fallback to "
"master.".format(
path_to_git_repository, tag
),
path_to_git_repository, tag
),
"yellow")
return 1
return 0
Expand All @@ -127,9 +127,9 @@ def git_checkout(path_to_git_repository, branch="master"):

if ecode != 0:
cprint("WARN: checking out {} to {} failed.".format(
path_to_git_repository, branch
),
"yellow")
path_to_git_repository, branch
),
"yellow")
return 1
return 0

Expand All @@ -155,8 +155,10 @@ def read_parse_and_write_template(

print("[STATIC] Reading template: {}".format(output_path_file_name))
with open(html_template_path, 'r') as _buffer:
html_template = Environment(loader=file_system_loader) \
.from_string(_buffer.read())
html_template = Environment(
loader=file_system_loader,
autoescape=True).from_string(
_buffer.read())

print("[STATIC] Writing parsed template: {}".format(output_path_file_name))
with open(html_output_path, 'w') as w:
Expand Down

0 comments on commit ec65c5e

Please sign in to comment.