Refactoing: Using Jinja2 templates #254
Conversation
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| env = jinja2.Environment( | ||
| loader = jinja2.FileSystemLoader('./templates'), | ||
| extensions = ["jinja2_humanize_extension.HumanizeExtension"] | ||
| ) |
There was a problem hiding this comment.
opt.semgrep.python.jinja2.security.audit.autoescape-disabled.autoescape-disabled: Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default.
This is dangerous if you are rendering to a browser because this allows for cross-site
scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting
autoescape=True.
Reply with "@sonatype-lift help" for info about LiftBot commands.
Reply with "@sonatype-lift ignore" to tell LiftBot to leave out the above finding from this PR.
Reply with "@sonatype-lift ignoreall" to tell LiftBot to leave out all the findings from this PR and from the status bar in Github.
When talking to LiftBot, you need to refresh the page to see its response. Click here to get to know more about LiftBot commands.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -2,3 +2,5 @@ geoip2==4.5.0 | |||
| humanize==3.13.1 | |||
| bottle==0.12.19 | |||
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:pypi/bottle@0.12.19
1 Critical, 2 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
Components
pkg:pypi/bottle@0.12.19
CRITICAL Vulnerabilities (1)
[CVE-2022-31799] CWE-755: Improper Handling of Exceptional Conditions
Bottle before 0.12.20 mishandles errors during early request binding.
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-755
SEVERE Vulnerabilities (2)
sonatype-2019-0663
[sonatype-2019-0663] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
Bottle - Regular expression Denial of Service (ReDoS) vulnerability
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
sonatype-2020-0020
[sonatype-2020-0020] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
bottle - Regular Expression Denial of Service (ReDoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
Reply with "@sonatype-lift help" for info about LiftBot commands.
Reply with "@sonatype-lift ignore" to tell LiftBot to leave out the above finding from this PR.
Reply with "@sonatype-lift ignoreall" to tell LiftBot to leave out all the findings from this PR and from the status bar in Github.
When talking to LiftBot, you need to refresh the page to see its response. Click here to get to know more about LiftBot commands.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
I've been doing a bit of refactoring to make the code clearer to me.
If you think this is helpful here is my pull request.