[Openstack-security] [Bug 1663417] Re: Bandit issue B701:jinja2_autoescape_false

OpenStack Infra 1663417 at bugs.launchpad.net
Thu Apr 6 14:48:46 UTC 2017


** Changed in: trove
       Status: New => In Progress

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1663417

Title:
  Bandit issue B701:jinja2_autoescape_false

Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack DBaaS (Trove):
  In Progress

Bug description:
  After running bandit it found an issue of Severity and Confidence
  High.

  Test results:
  >> Issue: [B701:jinja2_autoescape_false] By default, jinja2 sets autoescape to False. Consider using autoescape=True to mitigate XSS vulnerabilities.
     Severity: High   Confidence: High
     Location: trove/common/utils.py:53
  51
  52	def build_jinja_environment():
  53	    env = jinja2.Environment(loader=jinja2.ChoiceLoader([
  54	        jinja2.FileSystemLoader(CONF.template_path),
  55	        jinja2.PackageLoader("trove", "templates")
  56	    ]))
  57	    # Add some basic operation not built-in.

  simply adding the argument autoescape=True to the function call will
  fix the issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1663417/+subscriptions




More information about the Openstack-security mailing list