3
# Licensed under the Apache License, Version 2.0 (the "License"); you may
4
# not use this file except in compliance with the License. You may obtain
5
# a copy of the License at
7
# http://www.apache.org/licenses/LICENSE-2.0
9
# Unless required by applicable law or agreed to in writing, software
10
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12
# License for the specific language governing permissions and limitations
16
from bandit.core.test_properties import *
20
def use_of_mako_templates(context):
21
# check type just to be safe
22
if type(context.call_function_name_qual) == str:
23
qualname_list = context.call_function_name_qual.split('.')
24
func = qualname_list[-1]
25
if 'mako' in qualname_list and func == 'Template':
26
# unlike Jinja2, mako does not have a template wide autoescape
27
# feature and thus each variable must be carefully sanitized.
29
severity=bandit.MEDIUM,
30
confidence=bandit.HIGH,
31
text="Mako templates allow HTML/JS rendering by default and "
32
"are inherently open to XSS attacks. Ensure variables "
33
"in all templates are properly sanitized via the 'n', "
34
"'h' or 'x' flags (depending on context). For example, "
35
"to HTML escape the variable 'data' do ${ data |h }."