python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled
semgrep
Author
unknown
Download Count*
License
Detected a Jinja2 environment with 'autoescaping' disabled. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable 'autoescaping' by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions.
Run Locally
Run in CI
Defintion
rules:
- id: incorrect-autoescape-disabled
patterns:
- pattern: jinja2.Environment(... , autoescape=$VAL, ...)
- pattern-not: jinja2.Environment(... , autoescape=True, ...)
- pattern-not: jinja2.Environment(... , autoescape=jinja2.select_autoescape(...), ...)
- focus-metavariable: $VAL
fix: |
True
message: Detected a Jinja2 environment with 'autoescaping' disabled. This is
dangerous if you are rendering to a browser because this allows for
cross-site scripting (XSS) attacks. If you are in a web context, enable
'autoescaping' by setting 'autoescape=True.' You may also consider using
'jinja2.select_autoescape()' to only enable automatic escaping for certain
file extensions.
metadata:
source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b701_jinja2_autoescape_false.html
cwe:
- "CWE-116: Improper Encoding or Escaping of Output"
owasp:
- A03:2021 - Injection
references:
- https://jinja.palletsprojects.com/en/2.11.x/api/#basics
category: security
technology:
- jinja2
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Encoding
languages:
- python
severity: WARNING
Examples
autoescape-disabled-false.py
# cf. https://github.com/PyCQA/bandit/blob/02bad2e42311f420aef52dcd9806d66516ef594d/examples/jinja2_templating.py
import jinja2
from jinja2 import Environment, select_autoescape
templateLoader = jinja2.FileSystemLoader( searchpath="/" )
something = ''
# ok:incorrect-autoescape-disabled
Environment(loader=templateLoader, load=templateLoader, autoescape=True)
# ok:incorrect-autoescape-disabled
templateEnv = jinja2.Environment(autoescape=True,
loader=templateLoader )
# ruleid:incorrect-autoescape-disabled
Environment(loader=templateLoader, load=templateLoader, autoescape=something)
# ruleid:incorrect-autoescape-disabled
templateEnv = jinja2.Environment(autoescape=False, loader=templateLoader )
Environment(loader=templateLoader,
load=templateLoader,
# ruleid:incorrect-autoescape-disabled
autoescape=False)
# ok:incorrect-autoescape-disabled
Environment(loader=templateLoader, autoescape=select_autoescape())
Environment(loader=templateLoader,
# ok:incorrect-autoescape-disabled
autoescape=select_autoescape(['html', 'htm', 'xml']))
def fake_func():
return 'foobar'
# ruleid:incorrect-autoescape-disabled
Environment(loader=templateLoader, autoescape=fake_func())
Short Link: https://sg.run/L2L7