python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Detected a Jinja2 environment with 'autoescaping' disabled. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable 'autoescaping' by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions.

Run Locally

Run in CI

Defintion

rules:
  - id: incorrect-autoescape-disabled
    patterns:
      - pattern: jinja2.Environment(... , autoescape=$VAL, ...)
      - pattern-not: jinja2.Environment(... , autoescape=True, ...)
      - pattern-not: jinja2.Environment(... , autoescape=jinja2.select_autoescape(...), ...)
      - focus-metavariable: $VAL
    fix: |
      True
    message: Detected a Jinja2 environment with 'autoescaping' disabled. This is
      dangerous if you are rendering to a browser because this allows for
      cross-site scripting (XSS) attacks. If you are in a web context, enable
      'autoescaping' by setting 'autoescape=True.' You may also consider using
      'jinja2.select_autoescape()' to only enable automatic escaping for certain
      file extensions.
    metadata:
      source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b701_jinja2_autoescape_false.html
      cwe:
        - "CWE-116: Improper Encoding or Escaping of Output"
      owasp:
        - A03:2021 - Injection
      references:
        - https://jinja.palletsprojects.com/en/2.11.x/api/#basics
      category: security
      technology:
        - jinja2
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Encoding
    languages:
      - python
    severity: WARNING

Examples

autoescape-disabled-false.py

# cf. https://github.com/PyCQA/bandit/blob/02bad2e42311f420aef52dcd9806d66516ef594d/examples/jinja2_templating.py

import jinja2
from jinja2 import Environment, select_autoescape
templateLoader = jinja2.FileSystemLoader( searchpath="/" )
something = ''

# ok:incorrect-autoescape-disabled
Environment(loader=templateLoader, load=templateLoader, autoescape=True)

# ok:incorrect-autoescape-disabled
templateEnv = jinja2.Environment(autoescape=True,
        loader=templateLoader )

# ruleid:incorrect-autoescape-disabled
Environment(loader=templateLoader, load=templateLoader, autoescape=something)


# ruleid:incorrect-autoescape-disabled
templateEnv = jinja2.Environment(autoescape=False, loader=templateLoader )


Environment(loader=templateLoader,
            load=templateLoader,
# ruleid:incorrect-autoescape-disabled
            autoescape=False)


# ok:incorrect-autoescape-disabled
Environment(loader=templateLoader, autoescape=select_autoescape())

Environment(loader=templateLoader,
# ok:incorrect-autoescape-disabled
            autoescape=select_autoescape(['html', 'htm', 'xml']))

def fake_func():
    return 'foobar'

# ruleid:incorrect-autoescape-disabled
Environment(loader=templateLoader, autoescape=fake_func())