weixin_39704374 2020-11-30 02:08
浏览 0

Include Bandit security checker in CI

https://developer.rackspace.com/blog/getting-started-with-bandit/

Example output from running against Crossbar.io codebase: https://gist.github.com/oberstet/2739a2864f218d24c765e5b7c7550323

该提问来源于开源项目:crossbario/crossbar

  • 写回答

5条回答 默认 最新

  • weixin_39704374 2020-11-30 02:08
    关注
    
>> Issue: [B701:jinja2_autoescape_false] By default, jinja2 sets autoescape to False. Consider using autoescape=True to mitigate XSS vulnerabilities.
   Severity: High   Confidence: High
   Location: crossbar/worker/worker.py:90
89                         templates_dir=templates_dir)
90          self._templates = jinja2.Environment(loader=jinja2.FileSystemLoader(templates_dir))

    bogus, as jinja2 is only run on our own templates that come with Crossbar.io (part of the package) - NOT on user provided templates:

    • https://github.com/crossbario/crossbar/tree/master/crossbar/web/templates
    • https://github.com/crossbario/crossbar/tree/master/crossbar/templates

    However, we can of course set the flag - no harm (no gain) - but then we don't have to explain the details above ..

    评论

报告相同问题?