Inicio Explorar Axuda
Iniciar sesión
sintez
/
py_task
2
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Árbore: 609422c2ac
Ramas Etiquetas
py_task
/
venv
/
lib
/
python3.9
/
site-packages
/
bandit
/
plugins
/
mako_templates.py

mako_templates.py 2.5 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 
  1. #
    2. 

  2. # SPDX-License-Identifier: Apache-2.0
    3. 

  3. r"""
    4. 

  4. ====================================
    5. 

  5. B702: Test for use of mako templates
    6. 

  6. ====================================
    7. 

  7. 

  8. Mako is a Python templating system often used to build web applications. It is
    9. 

  9. the default templating system used in Pylons and Pyramid. Unlike Jinja2 (an
    10. 

  10. alternative templating system), Mako has no environment wide variable escaping
    11. 

  11. mechanism. Because of this, all input variables must be carefully escaped
    12. 

  12. before use to prevent possible vulnerabilities to Cross Site Scripting (XSS)
    13. 

  13. attacks.
    14. 

  14. 

  15. 

  16. :Example:
    17. 

  17. 

  18. .. code-block:: none
    19. 

  19. 

  20.     >> Issue: Mako templates allow HTML/JS rendering by default and are
    21. 

  21.     inherently open to XSS attacks. Ensure variables in all templates are
    22. 

  22.     properly sanitized via the 'n', 'h' or 'x' flags (depending on context).
    23. 

  23.     For example, to HTML escape the variable 'data' do ${ data |h }.
    24. 

  24.        Severity: Medium   Confidence: High
    25. 

  25.        CWE: CWE-80 (https://cwe.mitre.org/data/definitions/80.html)
    26. 

  26.        Location: ./examples/mako_templating.py:10
    27. 

  27.     9
    28. 

  28.     10  mako.template.Template("hern")
    29. 

  29.     11  template.Template("hern")
    30. 

  30. 

  31. 

  32. .. seealso::
    33. 

  33. 

  34.  - https://www.makotemplates.org/
    35. 

  35.  - `OWASP XSS <https://owasp.org/www-community/attacks/xss/>`_
    36. 

  36.  - https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html
    37. 

  37.  - https://cwe.mitre.org/data/definitions/80.html
    38. 

  38. 

  39. .. versionadded:: 0.10.0
    40. 

  40. 

  41. .. versionchanged:: 1.7.3
    42. 

  42.     CWE information added
    43. 

  43. 

  44. """
    45. 

  45. import bandit
    46. 

  46. from bandit.core import issue
    47. 

  47. from bandit.core import test_properties as test
    48. 

  48. 

  49. 

  50. @test.checks("Call")
    51. 

  51. @test.test_id("B702")
    52. 

  52. def use_of_mako_templates(context):
    53. 

  53.     # check type just to be safe
    54. 

  54.     if isinstance(context.call_function_name_qual, str):
    55. 

  55.         qualname_list = context.call_function_name_qual.split(".")
    56. 

  56.         func = qualname_list[-1]
    57. 

  57.         if "mako" in qualname_list and func == "Template":
    58. 

  58.             # unlike Jinja2, mako does not have a template wide autoescape
    59. 

  59.             # feature and thus each variable must be carefully sanitized.
    60. 

  60.             return bandit.Issue(
    61. 

  61.                 severity=bandit.MEDIUM,
    62. 

  62.                 confidence=bandit.HIGH,
    63. 

  63.                 cwe=issue.Cwe.BASIC_XSS,
    64. 

  64.                 text="Mako templates allow HTML/JS rendering by default and "
    65. 

  65.                 "are inherently open to XSS attacks. Ensure variables "
    66. 

  66.                 "in all templates are properly sanitized via the 'n', "
    67. 

  67.                 "'h' or 'x' flags (depending on context). For example, "
    68. 

  68.                 "to HTML escape the variable 'data' do ${ data |h }.",
    69. 

  69.             )
    70.