[Openstack-security] [Bug 1663417] Re: Bandit issue B701:jinja2_autoescape_false

Jeremy Stanley fungi at yuggoth.org
Thu Mar 30 13:23:15 UTC 2017 

Thanks Amrith, I'll switch this bug to public and triage it as a
potential hardening opportunity in that case.

** Information type changed from Private Security to Public

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Tags added: security

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
- --
- 
  After running bandit it found an issue of Severity and Confidence High.
  
  Test results:
  >> Issue: [B701:jinja2_autoescape_false] By default, jinja2 sets autoescape to False. Consider using autoescape=True to mitigate XSS vulnerabilities.
     Severity: High   Confidence: High
     Location: trove/common/utils.py:53
  51
  52	def build_jinja_environment():
  53	    env = jinja2.Environment(loader=jinja2.ChoiceLoader([
  54	        jinja2.FileSystemLoader(CONF.template_path),
  55	        jinja2.PackageLoader("trove", "templates")
  56	    ]))
  57	    # Add some basic operation not built-in.
  
  simply adding the argument autoescape=True to the function call will fix
  the issue.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1663417

Title:
  Bandit issue B701:jinja2_autoescape_false

Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack DBaaS (Trove):
  New

Bug description:
  After running bandit it found an issue of Severity and Confidence
  High.

  Test results:
  >> Issue: [B701:jinja2_autoescape_false] By default, jinja2 sets autoescape to False. Consider using autoescape=True to mitigate XSS vulnerabilities.
     Severity: High   Confidence: High
     Location: trove/common/utils.py:53
  51
  52	def build_jinja_environment():
  53	    env = jinja2.Environment(loader=jinja2.ChoiceLoader([
  54	        jinja2.FileSystemLoader(CONF.template_path),
  55	        jinja2.PackageLoader("trove", "templates")
  56	    ]))
  57	    # Add some basic operation not built-in.

  simply adding the argument autoescape=True to the function call will
  fix the issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1663417/+subscriptions

More information about the Openstack-security mailing list