python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Detected data rendered directly to the end user via 'Response'. This bypasses Pyramid's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Pyramid's template engines to safely render HTML.

Run Locally

Run in CI

Defintion

rules:
  - id: pyramid-direct-use-of-response
    message: Detected data rendered directly to the end user via 'Response'. This
      bypasses Pyramid's built-in cross-site scripting (XSS) defenses and could
      result in an XSS vulnerability. Use Pyramid's template engines to safely
      render HTML.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      category: security
      technology:
        - pyramid
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    languages:
      - python
    severity: ERROR
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-inside: |
              @pyramid.view.view_config( ... )
              def $VIEW($REQ):
                ...
          - pattern: $REQ.$ANYTHING
          - pattern-not: $REQ.dbsession
    pattern-sinks:
      - patterns:
          - pattern-either:
              - pattern: |
                  pyramid.request.Response.text($SINK)
              - pattern: |
                  pyramid.request.Response($SINK)
              - pattern: |
                  $REQ.response.body = $SINK
              - pattern: |
                  $REQ.response.text = $SINK
              - pattern: |
                  $REQ.response.ubody = $SINK
              - pattern: |
                  $REQ.response.unicode_body = $SINK
          - pattern: $SINK

Examples

direct-use-of-response.py

from pyramid.view import view_config
from pyramid.request import Response


@view_config(route_name='bad_route', renderer='pyramid_test_mako:templates/mytemplate.mako')
def my_bad_view1(request):
    param = request.params.get('p', '')
    content = """
<html>
    <body>
        <p>Param: {0}</p>
    </body>
</html>""".format(param)
    # ruleid: pyramid-direct-use-of-response
    return Response(content)


@view_config(route_name='bad_route', renderer='pyramid_test_mako:templates/mytemplate.mako')
def my_bad_view2(request):
    param = request.params.get('p', '')
    # ruleid: pyramid-direct-use-of-response
    request.response.body = """
<html>
    <body>
        <p>Param: {0}</p>
    </body>
</html>""".format(param)
    return request.response


@view_config(route_name='good_route', renderer='pyramid_test_mako:templates/mytemplate.mako')
def my_good_view1(request):
    # ok: pyramid-direct-use-of-response
    return {'project': 'pyramid_test_mako', 'Param': request.params.get('p', '')}


@view_config(route_name='good_route')
def my_good_view2(request):
    # ok: pyramid-direct-use-of-response
    request.response.body = "HELLO!"
    return request.response