[Openstack-security] [Bug 1663417] Re: Bandit issue B701:jinja2_autoescape_false
OpenStack Infra
1663417 at bugs.launchpad.net
Tue Apr 18 09:38:10 UTC 2017
Reviewed: https://review.openstack.org/454204
Committed: https://git.openstack.org/cgit/openstack/trove/commit/?id=a173923ed534b114ad6c09af7ba2c72921200a3b
Submitter: Jenkins
Branch: master
commit a173923ed534b114ad6c09af7ba2c72921200a3b
Author: Trevor McCasland <TM2086 at att.com>
Date: Thu Apr 6 09:03:10 2017 -0500
Add jinja2 autoescape=True
For avoiding XSS vulnerabilities, bandit suggests to set
autoescape=True.
After this change the bandit issues no longer appears.
Change-Id: Ic47dadef49b4504b3bcfbdc63ea85c937aabf334
Closes-Bug: #1663417
** Changed in: trove
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1663417
Title:
Bandit issue B701:jinja2_autoescape_false
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack DBaaS (Trove):
Fix Released
Bug description:
After running bandit it found an issue of Severity and Confidence
High.
Test results:
>> Issue: [B701:jinja2_autoescape_false] By default, jinja2 sets autoescape to False. Consider using autoescape=True to mitigate XSS vulnerabilities.
Severity: High Confidence: High
Location: trove/common/utils.py:53
51
52 def build_jinja_environment():
53 env = jinja2.Environment(loader=jinja2.ChoiceLoader([
54 jinja2.FileSystemLoader(CONF.template_path),
55 jinja2.PackageLoader("trove", "templates")
56 ]))
57 # Add some basic operation not built-in.
simply adding the argument autoescape=True to the function call will
fix the issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1663417/+subscriptions
More information about the Openstack-security
mailing list