Jinja2 autoescape plugin need to be updated

Bug #1684249 reported by Travis McPeak
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bandit
Fix Released
Undecided
Rajath Agasthya

Bug Description

The Jinja2 autoescape check doesn't work with the new suggested way of escaping as described here:

http://jinja.pocoo.org/docs/2.9/api/

An example of a safe way to escape is selectively for html and xss:

env = Environment(
    loader=PackageLoader('yourapplication', 'templates'),
    autoescape=select_autoescape(['html', 'xml'])
)

We should update the Bandit plugin to not flag people following the Jinja directions.

Changed in bandit:
assignee: nobody → Rajath Agasthya (rajagast)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to bandit (master)

Fix proposed to branch: master
Review: https://review.openstack.org/488939

Changed in bandit:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to bandit (master)

Reviewed: https://review.openstack.org/488939
Committed: https://git.openstack.org/cgit/openstack/bandit/commit/?id=8f1b50b5cce2ea241dbee334c5f58234b8656849
Submitter: Jenkins
Branch: master

commit 8f1b50b5cce2ea241dbee334c5f58234b8656849
Author: Rajath Agasthya <email address hidden>
Date: Sat Jul 29 01:33:26 2017 -0700

    Do not flag new way of escaping in jinja2 plugin

    Makes escaping using select_autoescape function valid by checking
    for ast.Call instance and if func id == select_autoescape.

    Example:

    from jinja2 import Environment, select_autoescape
    env = Environment(autoescape=select_autoescape(['html', 'htm', 'xml']),
                        loader=PackageLoader('mypackage'))

    Change-Id: I47c6b346332a6d9f7c4c57dd45ab7636c78996a1
    Closes-Bug: #1684249

Changed in bandit:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.