OpenStack Compute (nova)

Bandit scanning on Nova generates false positives of high severity issue "jinja2_autoescape_false"

Bug #1701712 reported by Zhen Qin on 2017-06-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Undecided	Zhen Qin

Bug Description

In the report generated by Bandit that scans against Nova code, there are two security issues estimated as high severity as shown below. We believe that these two issues are false positives. Therefore, the line of Nova codes that trigger such Bandit issues should be marked with something like # nosec so that any results associated with it will not be reported by Bandit.

--------------------------------------------------
>> Issue: [B701:jinja2_autoescape_false] By default, jinja2 sets autoescape to False. Consider using autoescape=True to mitigate XSS vulnerabilities.
Severity: High Confidence: High
Location: nova/console/xvp.py:113
112 tmpl_path, tmpl_file = os.path.split(CONF.injected_network_template)
113 env = jinja2.Environment(loader=jinja2.FileSystemLoader(tmpl_path))
114 env.filters['pass_encode'] = self.fix_console_password

--------------------------------------------------
>> Issue: [B701:jinja2_autoescape_false] By default, jinja2 sets autoescape to False. Consider using autoescape=True to mitigate XSS vulnerabilities.
Severity: High Confidence: High
Location: nova/virt/netutils.py:174
173 tmpl_path, tmpl_file = os.path.split(template)
174 env = jinja2.Environment(loader=jinja2.FileSystemLoader(tmpl_path),
175 trim_blocks=True)
176 template = env.get_template(tmpl_file)

The reasons that we think the above issue is false positive are:
"When autoescaping is enabled, Jinja2 will filter input strings to escape any HTML content submitted via template variables. Without escaping HTML input the application becomes vulnerable to Cross Site Scripting (XSS) attacks."[1] However, the "injected_network_template" configured in nova.conf is a template with text format with different rules, and is not intended to be executable. An example template is https://github.com/openstack/nova/blob/stable/ocata/nova/virt/interfaces.template

This bug exists in multiple releases of Nova, including master branch, Ocata, Newton etc.

References:
[1] https://docs.openstack.org/developer/bandit/plugins/jinja2_autoescape_false.html

See original description

Tags:

Zhen Qin (zqinit) on 2017-06-30

description:	updated
tags:	added: bandit
Changed in nova:
assignee:	nobody → Zhen Qin (zqinit)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-30: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/479437

Changed in nova:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-19: Fix merged to nova (master)

Reviewed: https://review.openstack.org/479437
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=398d24de68c79f77f0cfc0148f8d914bc09908b9
Submitter: Jenkins
Branch: master

commit 398d24de68c79f77f0cfc0148f8d914bc09908b9
Author: Zhen Qin <email address hidden>
Date: Fri Jun 30 15:29:10 2017 -0400

Avoid false positives of Jinja2 in Bandit scan

    When Bandit scans nova/console/xvp.py and nova/virt/netutils.py, the
    high severity issue ("B701:jinja2_autoescape_false") are triggered. By
    adding #nosec to above code, this alarm will be surpressed.

    "When autoescaping is enabled, Jinja2 will filter input strings to
    escape any HTML content submitted via template variables. Without
    escaping HTML input the application becomes vulnerable to Cross Site
    Scripting (XSS) attacks."[1] However, the "injected_network_template" is
    a template with text format and different rules, and is not intended to
    be executable. Hence, the security concern is not applicable here.

[1] https://docs.openstack.org/developer/bandit/plugins/jinja2_autoescape_false.html

Closes-Bug: #1701712
Change-Id: Ie819d90492af1e5c3b3d64403495d7355dc2cd91