Bandit versions lower than 1.1.0 do not escape HTML in issue reports --- ### Summary ### Bandit versions lower than 1.1.0 have a bug in the HTML report formatter that does not escape HTML in issue context snippets. This could lead to an XSS if HTML reports are hosted as part of a CI pipeline. ### Affected Services / Software ### Bandit: < 1.1.0 ### Discussion ### Bandit versions lower than 1.1.0 have a bug in the HTML report formatter that does not escape HTML in issue context snippets. This could lead to an XSS attack if HTML reports are hosted as part of a CI pipeline because HTML in the source code would be copied verbatim into the report. For example: import subprocess subprocess.Popen("<script>alert(1)</script>", shell=True) Will cause "<script>alert(1)</script>" to be inserted into the HTML report. This issue could allow for arbitrary code injection into CI/CD pipelines that feature accessible HTML reports generated from Bandit runs. ### Recommended Actions ### Update bandit to version 1.1.0 or greater. ### Contacts / References ### Author: Tim Kelsey <tim.kelsey at hpe.com>, HPE This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0070 Original LaunchPad Bug : https://bugs.launchpad.net/bandit/+bug/1612988 OpenStack Security ML : openstack-security at lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg CVE: N/A -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x3C202614.asc Type: application/pgp-keys Size: 1698 bytes Desc: not available URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160830/cabf2ec8/attachment.key> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160830/cabf2ec8/attachment.pgp>