-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathJinja2WithoutEscaping.ql
More file actions
56 lines (52 loc) · 1.76 KB
/
Jinja2WithoutEscaping.ql
File metadata and controls
56 lines (52 loc) · 1.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
/**
* @name Jinja2 templating with autoescape=False
* @description Using jinja2 templates with autoescape=False can
* cause a cross-site scripting vulnerability.
* @kind problem
* @problem.severity error
* @precision medium
* @id py/jinja2/autoescape-false
* @tags security
* external/cwe/cwe-079
*/
import python
predicate jinja2Environment(Object callable, int autoescape) {
exists(ModuleObject jinja2 |
jinja2.getName() = "jinja2" |
jinja2.getAttribute("Environment") = callable and
callable.(ClassObject).getPyClass().getInitMethod().getArg(autoescape+1).asName().getId() = "autoescape"
or
exists(ModuleObject environment |
environment.getAttribute("Template") = callable and
callable.(ClassObject).lookupAttribute("__new__").(FunctionObject).getFunction().getArg(autoescape+1).asName().getId() = "autoescape"
)
)
}
ControlFlowNode getAutoEscapeParameter(CallNode call) {
exists(Object callable |
call.getFunction().refersTo(callable) |
jinja2Environment(callable, _) and
result = call.getArgByName("autoescape")
or
exists(int arg |
jinja2Environment(callable, arg) and
result = call.getArg(arg)
)
)
}
from CallNode call
where
not exists(call.getNode().getStarargs()) and
not exists(call.getNode().getKwargs()) and
(
not exists(getAutoEscapeParameter(call)) and
exists(Object env |
call.getFunction().refersTo(env) and
jinja2Environment(env, _)
)
or
exists(Object isFalse |
getAutoEscapeParameter(call).refersTo(isFalse) and isFalse.booleanValue() = false
)
)
select call, "Using jinja2 templates with autoescape=False can potentially allow XSS attacks."