yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #65557
[Bug 1701712] [NEW] Bandit scanning on Nova generates false positives of high severity issue "jinja2_autoescape_false"
Public bug reported:
In the report generated by Bandit that scans against Nova code, there
are two security issues estimated as high severity as shown below. We
believe that these two issues are false positives. Therefore, the line
of Nova codes that trigger such Bandit issues should be marked with
something like # nosec so that any results associated with it will not
be reported by Bandit.
--------------------------------------------------
>> Issue: [B701:jinja2_autoescape_false] By default, jinja2 sets autoescape to False. Consider using autoescape=True to mitigate XSS vulnerabilities.
Severity: High Confidence: High
Location: nova/console/xvp.py:113
112 tmpl_path, tmpl_file = os.path.split(CONF.injected_network_template)
113 env = jinja2.Environment(loader=jinja2.FileSystemLoader(tmpl_path))
114 env.filters['pass_encode'] = self.fix_console_password
--------------------------------------------------
>> Issue: [B701:jinja2_autoescape_false] By default, jinja2 sets autoescape to False. Consider using autoescape=True to mitigate XSS vulnerabilities.
Severity: High Confidence: High
Location: nova/virt/netutils.py:174
173 tmpl_path, tmpl_file = os.path.split(template)
174 env = jinja2.Environment(loader=jinja2.FileSystemLoader(tmpl_path),
175 trim_blocks=True)
176 template = env.get_template(tmpl_file)
The reasons that we think the above issue is false positive are:
"When autoescaping is enabled, Jinja2 will filter input strings to escape any HTML content submitted via template variables. Without escaping HTML input the application becomes vulnerable to Cross Site Scripting (XSS) attacks."[1] However, the "injected_network_template" configured in nova.conf is a template with text format with different rules, and is not intended to be executable. An example template is https://github.com/openstack/nova/blob/stable/ocata/nova/virt/interfaces.template
This bug exists in multiple releases of Nova, including master branch,
Ocata, Newton etc.
References:
[1] https://docs.openstack.org/developer/bandit/plugins/jinja2_autoescape_false.html
** Affects: nova
Importance: Undecided
Assignee: Zhen Qin (zqinit)
Status: New
** Tags: bandit
** Description changed:
In the report generated by Bandit that scans against Nova code, there
are two security issues estimated as high severity as shown below. We
believe that these two issues are false positives. Therefore, the line
of Nova codes that trigger such Bandit issues should be marked with
something like # nosec so that any results associated with it will not
be reported by Bandit.
--------------------------------------------------
>> Issue: [B701:jinja2_autoescape_false] By default, jinja2 sets autoescape to False. Consider using autoescape=True to mitigate XSS vulnerabilities.
- Severity: High Confidence: High
- Location: nova/console/xvp.py:113
+ Severity: High Confidence: High
+ Location: nova/console/xvp.py:113
112 tmpl_path, tmpl_file = os.path.split(CONF.injected_network_template)
113 env = jinja2.Environment(loader=jinja2.FileSystemLoader(tmpl_path))
114 env.filters['pass_encode'] = self.fix_console_password
--------------------------------------------------
>> Issue: [B701:jinja2_autoescape_false] By default, jinja2 sets autoescape to False. Consider using autoescape=True to mitigate XSS vulnerabilities.
- Severity: High Confidence: High
- Location: nova/virt/netutils.py:174
+ Severity: High Confidence: High
+ Location: nova/virt/netutils.py:174
173 tmpl_path, tmpl_file = os.path.split(template)
174 env = jinja2.Environment(loader=jinja2.FileSystemLoader(tmpl_path),
175 trim_blocks=True)
176 template = env.get_template(tmpl_file)
The reasons that we think the above issue is false positive are:
- "When autoescaping is enabled, Jinja2 will filter input strings to escape any HTML content submitted via template variables. Without escaping HTML input the application becomes vulnerable to Cross Site Scripting (XSS) attacks."[1] However, the "injected_network_template" configured in nova.conf is a template with text format with different rules, and intended to be executable. An example template is https://github.com/openstack/nova/blob/stable/ocata/nova/virt/interfaces.template
+ "When autoescaping is enabled, Jinja2 will filter input strings to escape any HTML content submitted via template variables. Without escaping HTML input the application becomes vulnerable to Cross Site Scripting (XSS) attacks."[1] However, the "injected_network_template" configured in nova.conf is a template with text format with different rules, and is not intended to be executable. An example template is https://github.com/openstack/nova/blob/stable/ocata/nova/virt/interfaces.template
This bug exists in multiple releases of Nova, including master branch,
Ocata, Newton etc.
References:
[1] https://docs.openstack.org/developer/bandit/plugins/jinja2_autoescape_false.html
** Tags added: bandit
** Changed in: nova
Assignee: (unassigned) => Zhen Qin (zqinit)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1701712
Title:
Bandit scanning on Nova generates false positives of high severity
issue "jinja2_autoescape_false"
Status in OpenStack Compute (nova):
New
Bug description:
In the report generated by Bandit that scans against Nova code, there
are two security issues estimated as high severity as shown below. We
believe that these two issues are false positives. Therefore, the line
of Nova codes that trigger such Bandit issues should be marked with
something like # nosec so that any results associated with it will not
be reported by Bandit.
--------------------------------------------------
>> Issue: [B701:jinja2_autoescape_false] By default, jinja2 sets autoescape to False. Consider using autoescape=True to mitigate XSS vulnerabilities.
Severity: High Confidence: High
Location: nova/console/xvp.py:113
112 tmpl_path, tmpl_file = os.path.split(CONF.injected_network_template)
113 env = jinja2.Environment(loader=jinja2.FileSystemLoader(tmpl_path))
114 env.filters['pass_encode'] = self.fix_console_password
--------------------------------------------------
>> Issue: [B701:jinja2_autoescape_false] By default, jinja2 sets autoescape to False. Consider using autoescape=True to mitigate XSS vulnerabilities.
Severity: High Confidence: High
Location: nova/virt/netutils.py:174
173 tmpl_path, tmpl_file = os.path.split(template)
174 env = jinja2.Environment(loader=jinja2.FileSystemLoader(tmpl_path),
175 trim_blocks=True)
176 template = env.get_template(tmpl_file)
The reasons that we think the above issue is false positive are:
"When autoescaping is enabled, Jinja2 will filter input strings to escape any HTML content submitted via template variables. Without escaping HTML input the application becomes vulnerable to Cross Site Scripting (XSS) attacks."[1] However, the "injected_network_template" configured in nova.conf is a template with text format with different rules, and is not intended to be executable. An example template is https://github.com/openstack/nova/blob/stable/ocata/nova/virt/interfaces.template
This bug exists in multiple releases of Nova, including master branch,
Ocata, Newton etc.
References:
[1] https://docs.openstack.org/developer/bandit/plugins/jinja2_autoescape_false.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1701712/+subscriptions
Follow ups
