You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@buildstream.apache.org by no...@apache.org on 2020/12/29 12:49:13 UTC
[buildstream] branch tlater/fix-jinja-autoescape created (now
a0f0fe6)
This is an automated email from the ASF dual-hosted git repository.
not-in-ldap pushed a change to branch tlater/fix-jinja-autoescape
in repository https://gitbox.apache.org/repos/asf/buildstream.git.
at a0f0fe6 optionpool.py: Make jinja autoescape rules explicit
This branch includes the following new commits:
new a0f0fe6 optionpool.py: Make jinja autoescape rules explicit
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[buildstream] 01/01: optionpool.py: Make jinja autoescape rules
explicit
Posted by no...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
not-in-ldap pushed a commit to branch tlater/fix-jinja-autoescape
in repository https://gitbox.apache.org/repos/asf/buildstream.git
commit a0f0fe64db56ba565e9fa421dcf1d0fee2ba2ef5
Author: Tristan Maat <tr...@codethink.co.uk>
AuthorDate: Mon Dec 2 16:54:50 2019 +0000
optionpool.py: Make jinja autoescape rules explicit
Our security linter warns us that jinja should be set to escape HTML
output. Since we don't do HTML output, or any other markup that would
be vulnerable to XSS, we explicitly disable it on our strings, and let
jinja do as it pleases on files.
Should anyone use BuildStream as a library, they should likely escape
our output before displaying it in a browser, but that's a given since
they are operating on user-defined data.
---
src/buildstream/_options/optionpool.py | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/buildstream/_options/optionpool.py b/src/buildstream/_options/optionpool.py
index f105bb1..66b094a 100644
--- a/src/buildstream/_options/optionpool.py
+++ b/src/buildstream/_options/optionpool.py
@@ -312,6 +312,18 @@ class OptionPool:
return False
def _init_environment(self):
+ # Bandit (our code security linter) requires the function to
+ # be called select_autoescape, not jinja2.select_autoescape,
+ # so we can't use the function in its original scope.
+ from jinja2 import select_autoescape
+
# jinja2 environment, with default globals cleared out of the way
- self._environment = jinja2.Environment(undefined=jinja2.StrictUndefined)
+ #
+ # Note: We don't really care what autoescape is set up to
+ # escape, as long as it doesn't escape our strings - we don't
+ # use jinja to produce markup vulnerable to XSS, and we don't
+ # run it on files directly.
+ self._environment = jinja2.Environment(
+ undefined=jinja2.StrictUndefined, autoescape=select_autoescape(default_for_string=False, default=True)
+ )
self._environment.globals = []