-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathJinja2WithoutEscaping.ql
More file actions
48 lines (43 loc) · 1.31 KB
/
Jinja2WithoutEscaping.ql
File metadata and controls
48 lines (43 loc) · 1.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
/**
* @name Jinja2 templating with autoescape=False
* @description Using jinja2 templates with 'autoescape=False' can
* cause a cross-site scripting vulnerability.
* @kind problem
* @problem.severity error
* @precision medium
* @id py/jinja2/autoescape-false
* @tags security
* external/cwe/cwe-079
*/
import python
ClassObject jinja2EnvironmentOrTemplate() {
exists(ModuleObject jinja2, string name |
jinja2.getName() = "jinja2" and
jinja2.getAttribute(name) = result |
name = "Environment" or
name = "Template"
)
}
ControlFlowNode getAutoEscapeParameter(CallNode call) {
exists(Object callable |
call.getFunction().refersTo(callable) |
callable = jinja2EnvironmentOrTemplate() and
result = call.getArgByName("autoescape")
)
}
from CallNode call
where
not exists(call.getNode().getStarargs()) and
not exists(call.getNode().getKwargs()) and
(
not exists(getAutoEscapeParameter(call)) and
exists(Object env |
call.getFunction().refersTo(env) and
env = jinja2EnvironmentOrTemplate()
)
or
exists(Object isFalse |
getAutoEscapeParameter(call).refersTo(isFalse) and isFalse.booleanValue() = false
)
)
select call, "Using jinja2 templates with autoescape=False can potentially allow XSS attacks."