python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: missing-autoescape-disabled
    patterns:
      - pattern-not: jinja2.Environment(..., autoescape=$VAL, ...)
      - pattern: jinja2.Environment(...)
    fix-regex:
      regex: (.*)\)
      replacement: \1, autoescape=True)
    message: Detected a Jinja2 environment without autoescaping. Jinja2 does not
      autoescape by default. This is dangerous if you are rendering to a browser
      because this allows for cross-site scripting (XSS) attacks. If you are in
      a web context, enable autoescaping by setting 'autoescape=True.' You may
      also consider using 'jinja2.select_autoescape()' to only enable automatic
      escaping for certain file extensions.
    metadata:
      source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b701_jinja2_autoescape_false.html
      cwe:
        - "CWE-116: Improper Encoding or Escaping of Output"
      owasp:
        - A03:2021 - Injection
      references:
        - https://jinja.palletsprojects.com/en/2.11.x/api/#basics
      category: security
      technology:
        - jinja2
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Encoding
    languages:
      - python
    severity: WARNING

Examples

missing-autoescape-disabled.py

# cf. https://github.com/PyCQA/bandit/blob/02bad2e42311f420aef52dcd9806d66516ef594d/examples/jinja2_templating.py

import jinja2
from jinja2 import Environment, select_autoescape
templateLoader = jinja2.FileSystemLoader( searchpath="/" )
something = ''

#ok:missing-autoescape-disabled
Environment(loader=templateLoader, load=templateLoader, autoescape=True)

# ok:missing-autoescape-disabled
templateEnv = jinja2.Environment(autoescape=True,
        loader=templateLoader )

# ok:missing-autoescape-disabled
Environment(loader=templateLoader, load=templateLoader, autoescape=something)


# ok:missing-autoescape-disabled
templateEnv = jinja2.Environment(autoescape=False, loader=templateLoader )


# ok:missing-autoescape-disabled
Environment(loader=templateLoader,
            load=templateLoader,
            autoescape=False)


# ruleid:missing-autoescape-disabled
Environment(loader=templateLoader,
            load=templateLoader)

# ok:missing-autoescape-disabled
Environment(loader=templateLoader, autoescape=select_autoescape())

# ok:missing-autoescape-disabled
Environment(loader=templateLoader,
            autoescape=select_autoescape(['html', 'htm', 'xml']))


def fake_func():
    return 'foobar'


# ok:missing-autoescape-disabled
Environment(loader=templateLoader, autoescape=fake_func())