Python: New query to check for use of jinja2 templates without auto-escaping.

2026-04-30 19:26:02 +02:00 · 2018-11-19 11:50:10 +00:00
parent e66691a90c
commit 243280dc00
7 changed files with 183 additions and 0 deletions
--- a/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.expected
+++ b/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.expected
@@ -0,0 +1,4 @@
+| jinja2_escaping.py:9:14:9:39 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
+| jinja2_escaping.py:41:5:41:29 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
+| jinja2_escaping.py:43:1:43:3 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
+| jinja2_escaping.py:44:1:44:15 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
--- a/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.qlref
+++ b/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.qlref
@@ -0,0 +1 @@
+Security/CWE-079/Jinja2WithoutEscaping.ql
--- a/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
+++ b/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
@@ -1,6 +1,8 @@
 edges
 | ../lib/flask/__init__.py:14:19:14:20 | externally controlled string | ../lib/flask/__init__.py:15:19:15:20 | externally controlled string |
 | ../lib/flask/__init__.py:14:19:14:20 | externally controlled string | ../lib/flask/__init__.py:16:25:16:26 | externally controlled string |
+| jinja2_escaping.py:14:12:14:23 | dict of externally controlled string | jinja2_escaping.py:14:12:14:39 | externally controlled string |
+| jinja2_escaping.py:14:12:14:39 | externally controlled string | jinja2_escaping.py:16:47:16:50 | externally controlled string |
 | reflected_xss.py:7:18:7:29 | dict of externally controlled string | reflected_xss.py:7:18:7:45 | externally controlled string |
 | reflected_xss.py:7:18:7:45 | externally controlled string | reflected_xss.py:8:44:8:53 | externally controlled string |
 | reflected_xss.py:8:26:8:53 | externally controlled string | ../lib/flask/__init__.py:14:19:14:20 | externally controlled string |
--- a/python/ql/test/query-tests/Security/CWE-079/jinja2_escaping.py
+++ b/python/ql/test/query-tests/Security/CWE-079/jinja2_escaping.py
@@ -0,0 +1,51 @@
+
+Environment(loader=templateLoader, autoescape=fake_func())
+from flask import Flask, request, make_response, escape
+from jinja2 import Environment, select_autoescape, FileSystemLoader
+
+app = Flask(__name__)
+loader = FileSystemLoader( searchpath="templates/" )
+
+unsafe_env = Environment(loader=loader)
+safe1_env = Environment(loader=loader, autoescape=True)
+safe2_env = Environment(loader=loader, autoescape=select_autoescape())
+
+def render_response_from_env(env):
+    name = request.args.get('name', '')
+    template = env.get_template('template.html')
+    return make_response(template.render(name=name))
+
+@app.route('/unsafe')
+def unsafe():
+    return render_response_from_env(unsafe_env)
+
+@app.route('/safe1')
+def safe1():
+    return render_response_from_env(safe1_env)
+
+@app.route('/safe2')
+def safe2():
+    return render_response_from_env(safe2_env)
+
+# Explicit autoescape
+
+e = Environment(
+    loader=loader,
+    autoescape=select_autoescape(['html', 'htm', 'xml'])
+) # GOOD
+
+# Additional checks with flow.
+auto = select_autoescape
+e = Environment(autoescape=auto) # GOOD
+z = 0
+e = Environment(autoescape=z) # BAD
+E = Environment
+E() # BAD
+E(autoescape=z) # BAD
+E(autoescape=auto) # GOOD
+E(autoescape=0+1) # GOOD
+
+def checked(cond=False):
+    if cond:
+        e = Environment(autoescape=cond) # GOOD
+