You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@buildstream.apache.org by no...@apache.org on 2020/12/29 12:49:14 UTC
[buildstream] 01/01: optionpool.py: Make jinja autoescape rules
explicit
This is an automated email from the ASF dual-hosted git repository.
not-in-ldap pushed a commit to branch tlater/fix-jinja-autoescape
in repository https://gitbox.apache.org/repos/asf/buildstream.git
commit a0f0fe64db56ba565e9fa421dcf1d0fee2ba2ef5
Author: Tristan Maat <tr...@codethink.co.uk>
AuthorDate: Mon Dec 2 16:54:50 2019 +0000
optionpool.py: Make jinja autoescape rules explicit
Our security linter warns us that jinja should be set to escape HTML
output. Since we don't do HTML output, or any other markup that would
be vulnerable to XSS, we explicitly disable it on our strings, and let
jinja do as it pleases on files.
Should anyone use BuildStream as a library, they should likely escape
our output before displaying it in a browser, but that's a given since
they are operating on user-defined data.
---
src/buildstream/_options/optionpool.py | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/buildstream/_options/optionpool.py b/src/buildstream/_options/optionpool.py
index f105bb1..66b094a 100644
--- a/src/buildstream/_options/optionpool.py
+++ b/src/buildstream/_options/optionpool.py
@@ -312,6 +312,18 @@ class OptionPool:
return False
def _init_environment(self):
+ # Bandit (our code security linter) requires the function to
+ # be called select_autoescape, not jinja2.select_autoescape,
+ # so we can't use the function in its original scope.
+ from jinja2 import select_autoescape
+
# jinja2 environment, with default globals cleared out of the way
- self._environment = jinja2.Environment(undefined=jinja2.StrictUndefined)
+ #
+ # Note: We don't really care what autoescape is set up to
+ # escape, as long as it doesn't escape our strings - we don't
+ # use jinja to produce markup vulnerable to XSS, and we don't
+ # run it on files directly.
+ self._environment = jinja2.Environment(
+ undefined=jinja2.StrictUndefined, autoescape=select_autoescape(default_for_string=False, default=True)
+ )
self._environment.globals = []