3
# Copyright 2014 Hewlett-Packard Development Company, L.P.
5
# Licensed under the Apache License, Version 2.0 (the "License"); you may
6
# not use this file except in compliance with the License. You may obtain
7
# a copy of the License at
9
# http://www.apache.org/licenses/LICENSE-2.0
11
# Unless required by applicable law or agreed to in writing, software
12
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
13
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
14
# License for the specific language governing permissions and limitations
20
from bandit.core.test_properties import *
24
def jinja2_autoescape_false(context):
25
# check type just to be safe
26
if type(context.call_function_name_qual) == str:
27
qualname_list = context.call_function_name_qual.split('.')
28
func = qualname_list[-1]
29
if 'jinja2' in qualname_list and func == 'Environment':
30
for node in ast.walk(context.node):
31
if isinstance(node, ast.keyword):
32
# definite autoescape = False
33
if (getattr(node, 'arg', None) == 'autoescape' and
34
(getattr(node.value, 'id', None) == 'False' or
35
getattr(node.value, 'value', None) is False)):
38
confidence=bandit.HIGH,
39
text="Using jinja2 templates with autoescape="
40
"False is dangerous and can lead to XSS. "
41
"Use autoescape=True to mitigate XSS "
45
if getattr(node, 'arg', None) == 'autoescape':
46
if (getattr(node.value, 'id', None) == 'True' or
47
getattr(node.value, 'value', None) is True):
52
confidence=bandit.MEDIUM,
53
text="Using jinja2 templates with autoescape="
54
"False is dangerous and can lead to XSS. "
55
"Ensure autoescape=True to mitigate XSS "
58
# We haven't found a keyword named autoescape, indicating default
62
confidence=bandit.HIGH,
63
text="By default, jinja2 sets autoescape to False. Consider "
64
"using autoescape=True to mitigate XSS vulnerabilities."