Merge "Update jinja2 plugin to be more accurate"

2015-02-25 16:25:11 +00:00
parent aab897ef8e 1e71e0c1ed
commit 90e99ed662
3 changed files with 24 additions and 7 deletions
--- a/bandit/plugins/jinja2_templates.py
+++ b/bandit/plugins/jinja2_templates.py
@@ -29,12 +29,24 @@ def autoescape_false(context):
        if 'jinja2' in qualname_list and func == 'Environment':
            for node in ast.walk(context.node):
                if isinstance(node, ast.keyword):
+                    # definite autoescape = False
                    if (getattr(node, 'arg', None) == 'autoescape' and
-                       getattr(node.value, 'id', None) == 'False'):
+                            getattr(node.value, 'id', None) == 'False'):
                        return(bandit.ERROR, 'Using jinja2 templates with'
-                               ' autocomplete=False is dangerous and can'
-                               ' lead to XSS')
+                               ' autoescape=False is dangerous and can'
+                               ' lead to XSS. Use autoescape=True to mitigate'
+                               ' XSS vulnerabilities')
+                    # found autoescape
                    if getattr(node, 'arg', None) == 'autoescape':
-                        return(bandit.INFO, 'Using jinja2 templates with'
-                               ' autocomplete=False is dangerous and can'
-                               ' lead to XSS')
+                        if(getattr(node.value, 'id', None) == 'True'):
+                            return
+                        else:
+                            return(bandit.WARN, 'Using jinja2 templates with'
+                                   ' autoescape=False is dangerous and can'
+                                   ' lead to XSS. Ensure autoescape=True to'
+                                   ' mitigate XSS vulnerabilities.')
+            # We haven't found a keyword named autoescape, indicating default
+            # behavior
+            return(bandit.ERROR, 'By default, jinja2 sets autoescape'
+                   ' to False. Consider using autoescape=True to'
+                   ' mitigate XSS vulnerabilities.')
--- a/examples/jinja2_templating.py
+++ b/examples/jinja2_templating.py
@@ -1,11 +1,16 @@
 import jinja2
 from jinja2 import Environment
 templateLoader = jinja2.FileSystemLoader( searchpath="/" )
+something = ''

 Environment(loader=templateLoader, load=templateLoader, autoescape=True)
 templateEnv = jinja2.Environment(autoescape=True,
        loader=templateLoader )
+Environment(loader=templateLoader, load=templateLoader, autoescape=something)
 templateEnv = jinja2.Environment(autoescape=False, loader=templateLoader )
 Environment(loader=templateLoader,
            load=templateLoader,
            autoescape=False)
+
+Environment(loader=templateLoader,
+            load=templateLoader)
--- a/tests/test_functional.py
+++ b/tests/test_functional.py
@@ -283,4 +283,4 @@ class FunctionalTests(unittest.TestCase):
        self.b_mgr.discover_files([path], True)
        self.b_mgr.run_tests()
        self.assertEqual(self.b_mgr.results_count, 4)
-        self.assertEqual(self.b_mgr.scores[0], 22)
+        self.assertEqual(self.b_mgr.scores[0], 35)