You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@buildstream.apache.org by no...@apache.org on 2020/12/29 12:49:14 UTC

[buildstream] 01/01: optionpool.py: Make jinja autoescape rules explicit

This is an automated email from the ASF dual-hosted git repository.

not-in-ldap pushed a commit to branch tlater/fix-jinja-autoescape
in repository https://gitbox.apache.org/repos/asf/buildstream.git

commit a0f0fe64db56ba565e9fa421dcf1d0fee2ba2ef5
Author: Tristan Maat <tr...@codethink.co.uk>
AuthorDate: Mon Dec 2 16:54:50 2019 +0000

    optionpool.py: Make jinja autoescape rules explicit
    
    Our security linter warns us that jinja should be set to escape HTML
    output. Since we don't do HTML output, or any other markup that would
    be vulnerable to XSS, we explicitly disable it on our strings, and let
    jinja do as it pleases on files.
    
    Should anyone use BuildStream as a library, they should likely escape
    our output before displaying it in a browser, but that's a given since
    they are operating on user-defined data.
---
 src/buildstream/_options/optionpool.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/buildstream/_options/optionpool.py b/src/buildstream/_options/optionpool.py
index f105bb1..66b094a 100644
--- a/src/buildstream/_options/optionpool.py
+++ b/src/buildstream/_options/optionpool.py
@@ -312,6 +312,18 @@ class OptionPool:
         return False
 
     def _init_environment(self):
+        # Bandit (our code security linter) requires the function to
+        # be called select_autoescape, not jinja2.select_autoescape,
+        # so we can't use the function in its original scope.
+        from jinja2 import select_autoescape
+
         # jinja2 environment, with default globals cleared out of the way
-        self._environment = jinja2.Environment(undefined=jinja2.StrictUndefined)
+        #
+        # Note: We don't really care what autoescape is set up to
+        # escape, as long as it doesn't escape our strings - we don't
+        # use jinja to produce markup vulnerable to XSS, and we don't
+        # run it on files directly.
+        self._environment = jinja2.Environment(
+            undefined=jinja2.StrictUndefined, autoescape=select_autoescape(default_for_string=False, default=True)
+        )
         self._environment.globals = []