python.aws-lambda.security.tainted-html-string.tainted-html-string

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.

Run Locally

Run in CI

Defintion

rules:
  - id: tainted-html-string
    languages:
      - python
    severity: WARNING
    message: Detected user input flowing into a manually constructed HTML string.
      You may be accidentally bypassing secure methods of rendering HTML by
      manually constructing HTML and this could create a cross-site scripting
      vulnerability, which could let attackers steal sensitive user data. To be
      sure this is safe, check that the HTML is rendered safely. Otherwise, use
      templates which will safely render HTML instead.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      category: security
      technology:
        - aws-lambda
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    mode: taint
    pattern-sources:
      - patterns:
          - pattern: event
          - pattern-inside: |
              def $HANDLER(event, context):
                ...
    pattern-sinks:
      - patterns:
          - pattern-either:
              - patterns:
                  - pattern-either:
                      - pattern: '"$HTMLSTR" % ...'
                      - pattern: '"$HTMLSTR".format(...)'
                      - pattern: '"$HTMLSTR" + ...'
                      - pattern: f"$HTMLSTR{...}..."
              - patterns:
                  - pattern-inside: |
                      $HTML = "$HTMLSTR"
                      ...
                  - pattern-either:
                      - pattern: $HTML % ...
                      - pattern: $HTML.format(...)
                      - pattern: $HTML + ...
          - metavariable-pattern:
              metavariable: $HTMLSTR
              language: generic
              pattern: <$TAG ...
          - pattern-not-inside: |
              print(...)

Examples

tainted-html-string.py

def lambda_handler(event, context):
  # ruleid: tainted-html-string
	foobar(f"<div>{event['input']}</div>")

	response = {}

	link1 = '<a href="http://external/abc/%s">Check link href</a>'
  # ruleid: tainted-html-string
	response['html1'] = link1 % event['input']

  # ruleid: tainted-html-string
	response['html2'] = '<a href="http://external/abc/' + event['input'] + '">Check link href</a>'


	link2 = '<a href="http://external/abc/{}">Check link href</a>'
  # ruleid: tainted-html-string
	response['html3'] = link2.format(event['input'])

	print(f"<div>{event['input']}</div>")

	link_ok = '<a href="http://external/abc/{}">Check link href</a>'
	response['html3'] = link_ok.format("123")

	response['message'] = 'Data: [' + event['input'] + ']'

	result = {
		"statusCode": 200,
		"body": response
	}
	return result