hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: clean up change notes and query help.

Browse Source
This commit is contained in:
Mark Shannon
2018-11-28 15:02:47 +00:00
parent eefb45c94b
commit 21246dcbf2
3 changed files with 10 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
change-notes/1.19/analysis-python.md
View File

@@ -56,10 +56,10 @@ A new predicate `Stmt.getAnEntryNode()` has been added to make it easier to writ
| **Query** | **Tags** | **Purpose** |
|-----------------------------|-----------|--------------------------------------------------------------------|
| Flask app is run in debug mode (`py/flask-debug`) | security, external/cwe/cwe-215, external/cwe/cwe-489 | Finds instances where a Flask application is run in debug mode. Enabled on LGTM by default. |
| Information exposure through an exception (`py/stack-trace-exposure`) | security, external/cwe/cwe-209, external/cwe/cwe-497 | Finds instances where information about an exception may be leaked to an external user. Enabled on LGTM by default. |
| Jinja2 templating with autoescape=False (`py/jinja2/autoescape-false`) | security, external/cwe/cwe-079 | Finds instantiations of jinja2.Environment with `autoescape=False` which may allow XSS attacks. Not enabled on LGTM by default. |
| Request without certificate validation (`py/request-without-cert-validation`) | security, external/cwe/cwe-295 | Finds requests where certificate verification has been explicitly turned off, possibly allowing man-in-the-middle attacks. Not enabled on LGTM by default. |
| Flask app is run in debug mode (`py/flask-debug`) | security, external/cwe/cwe-215, external/cwe/cwe-489 | Finds instances where a Flask application is run in debug mode. Results are shown on LGTM by default. |
| Information exposure through an exception (`py/stack-trace-exposure`) | security, external/cwe/cwe-209, external/cwe/cwe-497 | Finds instances where information about an exception may be leaked to an external user. Results are shown on LGTM by default. |
| Jinja2 templating with autoescape=False (`py/jinja2/autoescape-false`) | security, external/cwe/cwe-079 | Finds instantiations of `jinja2.Environment` with `autoescape=False` which may allow XSS attacks. Results are hidden on LGTM by default. |
| Request without certificate validation (`py/request-without-cert-validation`) | security, external/cwe/cwe-295 | Finds requests where certificate verification has been explicitly turned off, possibly allowing man-in-the-middle attacks. Results are hidden on LGTM by default. |
## Changes to existing queries

8
python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.qhelp
View File

@@ -6,7 +6,7 @@
<overview>
<p>
Cross-site scripting attacks can occur if untrusted input is not escaped. This applies to templates as well as code.
Cross-site scripting (XSS) attacks can occur if untrusted input is not escaped. This applies to templates as well as code.
The <code>jinja2</code> templates may be vulnerable to XSS if the environment has <code>autoescape</code> set to <code>False</code>.
Unfortunately, <code>jinja2</code> sets <code>autoescape</code> to <code>False</code> by default.
Explicitly setting <code>autoescape</code> to <code>True</code> when creating an <code>Environment</code> object will prevent this.
@@ -23,7 +23,7 @@ For example, it can be used when creating an environment <code>Environment(autoe
<example>
<p>
The following example is a minimal flask app which shows a safe and unsafe way to render the given name back to the page.
The following example is a minimal Flask app which shows a safe and an unsafe way to render the given name back to the page.
The first view is unsafe as <code>first_name</code> is not escaped, leaving the page vulnerable to cross-site scripting attacks.
The second view is safe as <code>first_name</code> is escaped, so it is not vulnerable to cross-site scripting attacks.
</p>
@@ -32,11 +32,13 @@ The second view is safe as <code>first_name</code> is escaped, so it is not vuln
<references>
<li>
http://jinja.pocoo.org/docs/2.10/api/
Jinja2: <a href="http://jinja.pocoo.org/docs/2.10/api/">API</a>.
</li>
<li>
Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
</li>
<li>
OWASP: <a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet">XSS (Cross Site Scripting) Prevention Cheat Sheet</a>.
</li>
</references>
</qhelp>

2
python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
View File

@@ -1,6 +1,6 @@
/**
* @name Jinja2 templating with autoescape=False
* @description Using jinja2 templates with autoescape=False can
* @description Using jinja2 templates with 'autoescape=False' can
* cause a cross-site scripting vulnerability.
* @kind problem
* @problem.severity error