From a0f0fe64db56ba565e9fa421dcf1d0fee2ba2ef5 Mon Sep 17 00:00:00 2001 From: Tristan Maat Date: Mon, 2 Dec 2019 16:54:50 +0000 Subject: optionpool.py: Make jinja autoescape rules explicit Our security linter warns us that jinja should be set to escape HTML output. Since we don't do HTML output, or any other markup that would be vulnerable to XSS, we explicitly disable it on our strings, and let jinja do as it pleases on files. Should anyone use BuildStream as a library, they should likely escape our output before displaying it in a browser, but that's a given since they are operating on user-defined data. --- src/buildstream/_options/optionpool.py | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/buildstream/_options/optionpool.py b/src/buildstream/_options/optionpool.py index f105bb12c..66b094a9c 100644 --- a/src/buildstream/_options/optionpool.py +++ b/src/buildstream/_options/optionpool.py @@ -312,6 +312,18 @@ class OptionPool: return False def _init_environment(self): + # Bandit (our code security linter) requires the function to + # be called select_autoescape, not jinja2.select_autoescape, + # so we can't use the function in its original scope. + from jinja2 import select_autoescape + # jinja2 environment, with default globals cleared out of the way - self._environment = jinja2.Environment(undefined=jinja2.StrictUndefined) + # + # Note: We don't really care what autoescape is set up to + # escape, as long as it doesn't escape our strings - we don't + # use jinja to produce markup vulnerable to XSS, and we don't + # run it on files directly. + self._environment = jinja2.Environment( + undefined=jinja2.StrictUndefined, autoescape=select_autoescape(default_for_string=False, default=True) + ) self._environment.globals = [] -- cgit v1.2.1