/
unescaped-template-extension.yaml
54 lines (54 loc) · 2.4 KB
/
unescaped-template-extension.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
rules:
- id: unescaped-template-extension
message: >-
Flask does not automatically escape Jinja templates unless they have
.html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks.
Use .html, .htm, .xml, or .xhtml for your template extensions.
See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup
for more information.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
source-rule-url: https://pypi.org/project/flake8-flask/
references:
- https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup
- https://semgrep.dev/blog/2020/bento-check-unescaped-template-extensions-in-flask/
- https://bento.dev/checks/flask/unescaped-file-extension/
category: security
technology:
- flask
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
patterns:
- pattern-not: flask.render_template("=~/.+\.html$/", ...)
- pattern-not: flask.render_template("=~/.+\.xml$/", ...)
- pattern-not: flask.render_template("=~/.+\.htm$/", ...)
- pattern-not: flask.render_template("=~/.+\.xhtml$/", ...)
- pattern-not: flask.render_template($X + "=~/\.html$/", ...)
- pattern-not: flask.render_template($X + "=~/\.xml$/", ...)
- pattern-not: flask.render_template($X + "=~/\.htm$/", ...)
- pattern-not: flask.render_template($X + "=~/\.xhtml$/", ...)
- pattern-not: flask.render_template("=~/.+\.html$/" % $X, ...)
- pattern-not: flask.render_template("=~/.+\.xml$/" % $X, ...)
- pattern-not: flask.render_template("=~/.+\.htm$/" % $X, ...)
- pattern-not: flask.render_template("=~/.+\.xhtml$/" % $X, ...)
- pattern-not: flask.render_template("=~/.+\.html$/".format(...), ...)
- pattern-not: flask.render_template("=~/.+\.xml$/".format(...), ...)
- pattern-not: flask.render_template("=~/.+\.htm$/".format(...), ...)
- pattern-not: flask.render_template("=~/.+\.xhtml$/".format(...), ...)
- pattern-not: flask.render_template($TEMPLATE)
- pattern-either:
- pattern: flask.render_template("...", ...)
- pattern: flask.render_template($X + "...", ...)
- pattern: flask.render_template("..." % $Y, ...)
- pattern: flask.render_template("...".format(...), ...)
languages: [python]
severity: WARNING