← Back to branch summary

~ubuntu-branches/ubuntu/wily/bandit/wily-proposed

« back to all changes in this revision

Viewing changes to bandit/plugins/jinja2_templates.py

  • Committer: Package Import Robot
  • Author(s): Dave Walker (Daviey)
  • Date: 2015-07-22 09:01:39 UTC
  • Revision ID: package-import@ubuntu.com-20150722090139-fl0nluy0x8m9ctx4
Tags: upstream-0.12.0
ImportĀ upstreamĀ versionĀ 0.12.0

Show diffs side-by-side

added added

removed removed

Lines of Context:
bandit/plugins/jinja2_templates.py
 
1
# -*- coding:utf-8 -*-
 
2
#
 
3
# Copyright 2014 Hewlett-Packard Development Company, L.P.
 
4
#
 
5
# Licensed under the Apache License, Version 2.0 (the "License"); you may
 
6
# not use this file except in compliance with the License. You may obtain
 
7
# a copy of the License at
 
8
#
 
9
#      http://www.apache.org/licenses/LICENSE-2.0
 
10
#
 
11
# Unless required by applicable law or agreed to in writing, software
 
12
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 
13
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 
14
# License for the specific language governing permissions and limitations
 
15
# under the License.
 
16
 
 
17
import ast
 
18
 
 
19
import bandit
 
20
from bandit.core.test_properties import *
 
21
 
 
22
 
 
23
@checks('Call')
 
24
def jinja2_autoescape_false(context):
 
25
    # check type just to be safe
 
26
    if type(context.call_function_name_qual) == str:
 
27
        qualname_list = context.call_function_name_qual.split('.')
 
28
        func = qualname_list[-1]
 
29
        if 'jinja2' in qualname_list and func == 'Environment':
 
30
            for node in ast.walk(context.node):
 
31
                if isinstance(node, ast.keyword):
 
32
                    # definite autoescape = False
 
33
                    if (getattr(node, 'arg', None) == 'autoescape' and
 
34
                            (getattr(node.value, 'id', None) == 'False' or
 
35
                                getattr(node.value, 'value', None) is False)):
 
36
                        return bandit.Issue(
 
37
                            severity=bandit.HIGH,
 
38
                            confidence=bandit.HIGH,
 
39
                            text="Using jinja2 templates with autoescape="
 
40
                                 "False is dangerous and can lead to XSS. "
 
41
                                 "Use autoescape=True to mitigate XSS "
 
42
                                 "vulnerabilities."
 
43
                        )
 
44
                    # found autoescape
 
45
                    if getattr(node, 'arg', None) == 'autoescape':
 
46
                        if (getattr(node.value, 'id', None) == 'True' or
 
47
                                getattr(node.value, 'value', None) is True):
 
48
                            return
 
49
                        else:
 
50
                            return bandit.Issue(
 
51
                                severity=bandit.HIGH,
 
52
                                confidence=bandit.MEDIUM,
 
53
                                text="Using jinja2 templates with autoescape="
 
54
                                     "False is dangerous and can lead to XSS. "
 
55
                                     "Ensure autoescape=True to mitigate XSS "
 
56
                                     "vulnerabilities."
 
57
                            )
 
58
            # We haven't found a keyword named autoescape, indicating default
 
59
            # behavior
 
60
            return bandit.Issue(
 
61
                severity=bandit.HIGH,
 
62
                confidence=bandit.HIGH,
 
63
                text="By default, jinja2 sets autoescape to False. Consider "
 
64
                     "using autoescape=True to mitigate XSS vulnerabilities."
 
65
            )