python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected data rendered directly to the end user via 'Response'. This bypasses Pyramid's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Pyramid's template engines to safely render HTML.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: pyramid-direct-use-of-response
    message: Detected data rendered directly to the end user via 'Response'. This
      bypasses Pyramid's built-in cross-site scripting (XSS) defenses and could
      result in an XSS vulnerability. Use Pyramid's template engines to safely
      render HTML.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      category: security
      technology:
        - pyramid
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - python
    severity: ERROR
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-inside: |
              @pyramid.view.view_config( ... )
              def $VIEW($REQ):
                ...
          - pattern: $REQ.$ANYTHING
          - pattern-not: $REQ.dbsession
    pattern-sinks:
      - patterns:
          - pattern-either:
              - pattern: |
                  pyramid.request.Response.text($SINK)
              - pattern: |
                  pyramid.request.Response($SINK)
              - pattern: |
                  $REQ.response.body = $SINK
              - pattern: |
                  $REQ.response.text = $SINK
              - pattern: |
                  $REQ.response.ubody = $SINK
              - pattern: |
                  $REQ.response.unicode_body = $SINK
          - pattern: $SINK

Examples

direct-use-of-response.py

from pyramid.view import view_config
from pyramid.request import Response


@view_config(route_name='bad_route', renderer='pyramid_test_mako:templates/mytemplate.mako')
def my_bad_view1(request):
    param = request.params.get('p', '')
    content = """
<html>
    <body>
        <p>Param: {0}</p>
    </body>
</html>""".format(param)
    # ruleid: pyramid-direct-use-of-response
    return Response(content)


@view_config(route_name='bad_route', renderer='pyramid_test_mako:templates/mytemplate.mako')
def my_bad_view2(request):
    param = request.params.get('p', '')
    # ruleid: pyramid-direct-use-of-response
    request.response.body = """
<html>
    <body>
        <p>Param: {0}</p>
    </body>
</html>""".format(param)
    return request.response


@view_config(route_name='good_route', renderer='pyramid_test_mako:templates/mytemplate.mako')
def my_good_view1(request):
    # ok: pyramid-direct-use-of-response
    return {'project': 'pyramid_test_mako', 'Param': request.params.get('p', '')}


@view_config(route_name='good_route')
def my_good_view2(request):
    # ok: pyramid-direct-use-of-response
    request.response.body = "HELLO!"
    return request.response