Merge pull request #9135 from tausbn/python-modernise-py-jinja2-autoescape-false

Python: Modernise py/jinja2/autoescape-false
2025-12-24 04:36:35 +01:00 · 2022-05-23 14:18:06 +02:00
parent 487425670e ea32299ab0
commit 23d64ffa04
2 changed files with 16 additions and 14 deletions
--- a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
+++ b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
@@ -12,6 +12,8 @@
 */

 import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.ApiGraphs

 /*
 * Jinja 2 Docs:
@@ -25,25 +27,24 @@ import python
 * safe1_tmpl = Template('Hello {{ name }}!', autoescape=True)
 */

-ClassValue jinja2EnvironmentOrTemplate() {
-  result = Value::named("jinja2.Environment")
+private API::Node jinja2EnvironmentOrTemplate() {
+  result = API::moduleImport("jinja2").getMember("Environment")
  or
-  result = Value::named("jinja2.Template")
+  result = API::moduleImport("jinja2").getMember("Template")
 }

-ControlFlowNode getAutoEscapeParameter(CallNode call) { result = call.getArgByName("autoescape") }
-
-from CallNode call
+from API::CallNode call
 where
-  call.getFunction().pointsTo(jinja2EnvironmentOrTemplate()) and
-  not exists(call.getNode().getStarargs()) and
-  not exists(call.getNode().getKwargs()) and
+  call = jinja2EnvironmentOrTemplate().getACall() and
+  not exists(call.asCfgNode().(CallNode).getNode().getStarargs()) and
+  not exists(call.asCfgNode().(CallNode).getNode().getKwargs()) and
  (
-    not exists(getAutoEscapeParameter(call))
+    not exists(call.getArgByName("autoescape"))
    or
-    exists(Value isFalse |
-      getAutoEscapeParameter(call).pointsTo(isFalse) and
-      isFalse.getDefiniteBooleanValue() = false
-    )
+    call.getKeywordParameter("autoescape")
+        .getAValueReachingRhs()
+        .asExpr()
+        .(ImmutableLiteral)
+        .booleanValue() = false
  )
 select call, "Using jinja2 templates with autoescape=False can potentially allow XSS attacks."
--- a/python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/Jinja2WithoutEscaping.expected
+++ b/python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/Jinja2WithoutEscaping.expected
@@ -2,4 +2,5 @@
 | jinja2_escaping.py:41:5:41:29 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
 | jinja2_escaping.py:43:1:43:3 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
 | jinja2_escaping.py:44:1:44:15 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
+| jinja2_escaping.py:50:13:50:40 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
 | jinja2_escaping.py:53:15:53:43 | ControlFlowNode for Template() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |