Bandit scanning on Nova generates false positives of high severity issue "jinja2_autoescape_false"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Undecided
|
Zhen Qin |
Bug Description
In the report generated by Bandit that scans against Nova code, there are two security issues estimated as high severity as shown below. We believe that these two issues are false positives. Therefore, the line of Nova codes that trigger such Bandit issues should be marked with something like # nosec so that any results associated with it will not be reported by Bandit.
-------
>> Issue: [B701:jinja2_
Severity: High Confidence: High
Location: nova/console/
112 tmpl_path, tmpl_file = os.path.
113 env = jinja2.
114 env.filters[
-------
>> Issue: [B701:jinja2_
Severity: High Confidence: High
Location: nova/virt/
173 tmpl_path, tmpl_file = os.path.
174 env = jinja2.
175 trim_blocks=True)
176 template = env.get_
The reasons that we think the above issue is false positive are:
"When autoescaping is enabled, Jinja2 will filter input strings to escape any HTML content submitted via template variables. Without escaping HTML input the application becomes vulnerable to Cross Site Scripting (XSS) attacks."[1] However, the "injected_
This bug exists in multiple releases of Nova, including master branch, Ocata, Newton etc.
References:
[1] https:/
description: | updated |
tags: | added: bandit |
Changed in nova: | |
assignee: | nobody → Zhen Qin (zqinit) |
Fix proposed to branch: master /review. openstack. org/479437
Review: https:/