Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

B701 false positive when using jinja2.select_autoescape() instead of select_autoescape() #711

Closed
paw-lu opened this issue May 18, 2021 · 2 comments
Closed

B701 false positive when using jinja2.select_autoescape() instead of select_autoescape() #711

paw-lu opened this issue May 18, 2021 · 2 comments
Labels
bug Something isn't working

Comments

@paw-lu
Copy link

paw-lu commented May 18, 2021

Describe the bug

When using select_autoescape from the jinja2 namespace directly (jinja2.select_autoescape()), a false positive s701 is raised.

To Reproduce
Steps to reproduce the behavior:

"""false_positive.py"""
import jinja2

env = jinja2.Environment(
    loader=jinja2.PackageLoader("nbpreview"),
    autoescape=jinja2.select_autoescape(),
)
% bandit false_positive.py
...
>> Issue: [B701:jinja2_autoescape_false] Using jinja2 templates with autoescape=False is dangerous and can lead to XSS. Ensure autoescape=True or use the select_autoescape function to mitigate XSS vulnerabilities
...
"""true_negative.py"""
from jinja2 import (
    Environment,
    PackageLoader,
    select_autoescape
)

env = Environment(
    loader=PackageLoader("nbpreview"),
    autoescape=select_autoescape(),
)
% bandit true_negative.py
...
Test results:
        No issues identified.
...

Expected behavior

I expect both of the above files to pass and not raise s701. I expect bandit to accept jinja2.select_autoescape() as a valid safe argument.

Bandit version

% bandit --version
bandit 1.7.0
  python version = 3.8.6 (default, Nov 11 2020, 10:17:13) [Clang 11.0.3 (clang-1103.0.32.62)]

Thanks for the project!
@paw-lu paw-lu added the bug Something isn't working label May 18, 2021
@paw-lu paw-lu changed the title s701 false positive when using jinja2.select_autoescape() when not using from imports s701 false positive when using jinja2.select_autoescape() instead of select_autoescape() May 18, 2021
@paw-lu paw-lu changed the title s701 false positive when using jinja2.select_autoescape() instead of select_autoescape() B701 false positive when using jinja2.select_autoescape() instead of select_autoescape() May 18, 2021
@paw-lu
Copy link
Author

paw-lu commented May 18, 2021

Missed this the first time, but looks like this is a duplicate of #453

shifqu added a commit to shifqu/pytest-generator that referenced this issue Aug 21, 2021
@shifqu
style: import specific jinja attrs
7fe09b6 
This avoids a false positive for B701, PyCQA/bandit#711

Also ran black and added docstring
@mportesdev mportesdev mentioned this issue Jul 11, 2022
Merged
@ericwb
Copy link
Member

ericwb commented Jul 11, 2022

Fixed with #454 and dup of #454

@ericwb ericwb closed this as completed Jul 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ericwb @paw-lu