From f909c5a3b8c551eb09dcaf95b27b8a546ccda8e3 Mon Sep 17 00:00:00 2001 From: clavedeluna Date: Wed, 27 Sep 2023 11:33:14 -0300 Subject: [PATCH] add docs --- .../pixee_python_enable-jinja2-autoescape.md | 17 +++++++++++++++++ tests/codemods/test_enable_jinja2_autoescape.py | 3 +-- 2 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 src/core_codemods/docs/pixee_python_enable-jinja2-autoescape.md diff --git a/src/core_codemods/docs/pixee_python_enable-jinja2-autoescape.md b/src/core_codemods/docs/pixee_python_enable-jinja2-autoescape.md new file mode 100644 index 00000000..7fd9ffa4 --- /dev/null +++ b/src/core_codemods/docs/pixee_python_enable-jinja2-autoescape.md @@ -0,0 +1,17 @@ +This codemod ensures you configure jinja2 to turn on autoescaping of HTML content. Unfortunately, the jinja2 +default behavior is to not autoescape when rendering templates, which makes your applications +vulnerable to Cross-Site Scripting (XSS) attacks. + +Our codemod currently checks if you forgot to turn autoescape on or if you explicitly disabled it. The change looks as follows: + +```diff + from jinja2 import Environment + +- env = Environment() +- env = Environment(autoescape=False, loader=some-loader) ++ env = Environment(autoescape=True) ++ env = Environment(autoescape=True, loader=some-loader) + ... +``` + +At this time, this codemod will not detect if `autoescape` is assigned to a callable. diff --git a/tests/codemods/test_enable_jinja2_autoescape.py b/tests/codemods/test_enable_jinja2_autoescape.py index 13e42263..6f8bbd36 100644 --- a/tests/codemods/test_enable_jinja2_autoescape.py +++ b/tests/codemods/test_enable_jinja2_autoescape.py @@ -1,5 +1,4 @@ -import pytest -from codemodder.codemods.enable_jinja2_autoescape import EnableJinja2Autoescape +from core_codemods.enable_jinja2_autoescape import EnableJinja2Autoescape from tests.codemods.base_codemod_test import BaseSemgrepCodemodTest