Do not flag new way of escaping in jinja2 plugin

Makes escaping using select_autoescape function valid by checking for ast.Call instance and if func id == select_autoescape. Example: from jinja2 import Environment, select_autoescape env = Environment(autoescape=select_autoescape(['html', 'htm', 'xml']), loader=PackageLoader('mypackage')) Change-Id: I47c6b346332a6d9f7c4c57dd45ab7636c78996a1 Closes-Bug: #1684249
PyCQA · Aug 2, 2017 · 8f1b50b · 8f1b50b
1 parent ee9481d
commit 8f1b50b
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 10 deletions.
diff --git a/bandit/plugins/jinja2_templates.py b/bandit/plugins/jinja2_templates.py
@@ -47,13 +47,16 @@
     14
 
     >> Issue: By default, jinja2 sets autoescape to False. Consider using
-    autoescape=True to mitigate XSS vulnerabilities.
+    autoescape=True or use the select_autoescape function to mitigate XSS
+    vulnerabilities.
        Severity: High   Confidence: High
        Location: ./examples/jinja2_templating.py:15
     14
     15  Environment(loader=templateLoader,
     16              load=templateLoader)
     17
+    18  Environment(autoescape=select_autoescape(['html', 'htm', 'xml']),
+    19              loader=templateLoader)
 
 
 .. seealso::
@@ -93,28 +96,36 @@ def jinja2_autoescape_false(context):
                             confidence=bandit.HIGH,
                             text="Using jinja2 templates with autoescape="
                                  "False is dangerous and can lead to XSS. "
-                                 "Use autoescape=True to mitigate XSS "
+                                 "Use autoescape=True or use the "
+                                 "select_autoescape function to mitigate XSS "
                                  "vulnerabilities."
                         )
                     # found autoescape
                     if getattr(node, 'arg', None) == 'autoescape':
-                        if (getattr(node.value, 'id', None) == 'True' or
-                                getattr(node.value, 'value', None) is True):
+                        value = getattr(node, 'value', None)
+                        if (getattr(value, 'id', None) == 'True' or
+                                getattr(value, 'value', None) is True):
+                            return
+                        # Check if select_autoescape function is used.
+                        elif isinstance(value, ast.Call) and getattr(
+                                value.func, 'id', None) == 'select_autoescape':
                             return
                         else:
                             return bandit.Issue(
                                 severity=bandit.HIGH,
                                 confidence=bandit.MEDIUM,
                                 text="Using jinja2 templates with autoescape="
                                      "False is dangerous and can lead to XSS. "
-                                     "Ensure autoescape=True to mitigate XSS "
-                                     "vulnerabilities."
+                                     "Ensure autoescape=True or use the "
+                                     "select_autoescape function to mitigate "
+                                     "XSS vulnerabilities."
                             )
             # We haven't found a keyword named autoescape, indicating default
             # behavior
             return bandit.Issue(
                 severity=bandit.HIGH,
                 confidence=bandit.HIGH,
                 text="By default, jinja2 sets autoescape to False. Consider "
-                     "using autoescape=True to mitigate XSS vulnerabilities."
+                     "using autoescape=True or use the select_autoescape "
+                     "function to mitigate XSS vulnerabilities."
             )
diff --git a/examples/jinja2_templating.py b/examples/jinja2_templating.py
@@ -1,5 +1,5 @@
 import jinja2
-from jinja2 import Environment
+from jinja2 import Environment, select_autoescape
 templateLoader = jinja2.FileSystemLoader( searchpath="/" )
 something = ''
 
@@ -14,3 +14,13 @@
 
 Environment(loader=templateLoader,
             load=templateLoader)
+
+Environment(loader=templateLoader, autoescape=select_autoescape())
+
+Environment(loader=templateLoader,
+            autoescape=select_autoescape(['html', 'htm', 'xml']))
+
+
+def fake_func():
+    return 'foobar'
+Environment(loader=templateLoader, autoescape=fake_func())
diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
@@ -441,8 +441,8 @@ def test_yaml(self):
     def test_jinja2_templating(self):
         '''Test jinja templating for potential XSS bugs.'''
         expect = {
-            'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 4},
-            'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 1, 'HIGH': 3}
+            'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 5},
+            'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 2, 'HIGH': 3}
         }
         self.check_example('jinja2_templating.py', expect)