Merge pull request #538 from markshannon/python-jinja2-autoescape

taus-semmle · web-flow · commit c75fa28510f7 · 2018-11-28T17:32:17.000+01:00
Python: New query to check for use of jinja2 templates without auto-escaping
diff --git a/change-notes/1.19/analysis-python.md b/change-notes/1.19/analysis-python.md
@@ -56,9 +56,10 @@ A new predicate `Stmt.getAnEntryNode()` has been added to make it easier to writ
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
-| Flask app is run in debug mode (`py/flask-debug`) | security, external/cwe/cwe-215, external/cwe/cwe-489 | Finds instances where a Flask application is run in debug mode. Enabled on LGTM by default. |
-| Information exposure through an exception (`py/stack-trace-exposure`) | security, external/cwe/cwe-209, external/cwe/cwe-497 | Finds instances where information about an exception may be leaked to an external user. Enabled on LGTM by default. |
-| Request without certificate validation (`py/request-without-cert-validation`) | security, external/cwe/cwe-295 | Finds requests where certificate verification has been explicitly turned off, possibly allowing man-in-the-middle attacks. Not enabled on LGTM by default. |
+| Flask app is run in debug mode (`py/flask-debug`) | security, external/cwe/cwe-215, external/cwe/cwe-489 | Finds instances where a Flask application is run in debug mode. Results are shown on LGTM by default. |
+| Information exposure through an exception (`py/stack-trace-exposure`) | security, external/cwe/cwe-209, external/cwe/cwe-497 | Finds instances where information about an exception may be leaked to an external user. Results are shown on LGTM by default. |
+| Jinja2 templating with autoescape=False (`py/jinja2/autoescape-false`) | security, external/cwe/cwe-079 | Finds instantiations of `jinja2.Environment` with `autoescape=False` which may allow XSS attacks. Results are hidden on LGTM by default. |
+| Request without certificate validation (`py/request-without-cert-validation`) | security, external/cwe/cwe-295 | Finds requests where certificate verification has been explicitly turned off, possibly allowing man-in-the-middle attacks. Results are hidden on LGTM by default. |
 
 ## Changes to existing queries
 
diff --git a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.qhelp b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.qhelp
@@ -0,0 +1,44 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+
+Cross-site scripting (XSS) attacks can occur if untrusted input is not escaped. This applies to templates as well as code.
+The <code>jinja2</code> templates may be vulnerable to XSS if the environment has <code>autoescape</code> set to <code>False</code>.
+Unfortunately, <code>jinja2</code> sets <code>autoescape</code> to <code>False</code> by default.
+Explicitly setting <code>autoescape</code> to <code>True</code> when creating an <code>Environment</code> object will prevent this.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Avoid setting jinja2 autoescape to False.
+Jinja2 provides the function <code>select_autoescape</code> to make sure that the correct auto-escaping is chosen.
+For example, it can be used when creating an environment <code>Environment(autoescape=select_autoescape(['html', 'xml'])</code>
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example is a minimal Flask app which shows a safe and an unsafe way to render the given name back to the page.
+The first view is unsafe as <code>first_name</code> is not escaped, leaving the page vulnerable to cross-site scripting attacks.
+The second view is safe as <code>first_name</code> is escaped, so it is not vulnerable to cross-site scripting attacks.
+</p>
+<sample src="examples/jinja2.py" />
+</example>
+
+<references>
+<li>
+Jinja2: <a href="http://jinja.pocoo.org/docs/2.10/api/">API</a>.
+</li>
+<li>
+Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
+</li>
+<li>
+OWASP: <a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet">XSS (Cross Site Scripting) Prevention Cheat Sheet</a>.
+</li>
+</references>
+</qhelp>
diff --git a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
@@ -0,0 +1,48 @@
+/**
+ * @name Jinja2 templating with autoescape=False
+ * @description Using jinja2 templates with 'autoescape=False' can
+ *              cause a cross-site scripting vulnerability.
+ * @kind problem
+ * @problem.severity error
+ * @precision medium
+ * @id py/jinja2/autoescape-false
+ * @tags security
+ *       external/cwe/cwe-079
+ */
+
+import python
+
+ClassObject jinja2EnvironmentOrTemplate() {
+    exists(ModuleObject jinja2, string name |
+        jinja2.getName() = "jinja2" and
+        jinja2.getAttribute(name) = result |
+        name = "Environment" or
+        name = "Template"
+    )
+}
+
+ControlFlowNode getAutoEscapeParameter(CallNode call) {
+    exists(Object callable |
+        call.getFunction().refersTo(callable) |
+        callable = jinja2EnvironmentOrTemplate() and
+        result = call.getArgByName("autoescape")
+    )
+}
+
+from CallNode call
+where
+not exists(call.getNode().getStarargs()) and
+not exists(call.getNode().getKwargs()) and
+(
+    not exists(getAutoEscapeParameter(call)) and
+    exists(Object env |
+        call.getFunction().refersTo(env) and
+        env = jinja2EnvironmentOrTemplate()
+    )
+    or
+    exists(Object isFalse |
+        getAutoEscapeParameter(call).refersTo(isFalse) and isFalse.booleanValue() = false
+    )
+)
+
+select call, "Using jinja2 templates with autoescape=False can potentially allow XSS attacks."
diff --git a/python/ql/src/Security/CWE-079/examples/jinja2.py b/python/ql/src/Security/CWE-079/examples/jinja2.py
@@ -0,0 +1,27 @@
+from flask import Flask, request, make_response, escape
+from jinja2 import Environment, select_autoescape, FileSystemLoader
+
+app = Flask(__name__)
+loader = FileSystemLoader( searchpath="templates/" )
+
+unsafe_env = Environment(loader=loader)
+safe1_env = Environment(loader=loader, autoescape=True)
+safe2_env = Environment(loader=loader, autoescape=select_autoescape())
+
+def render_response_from_env(env):
+    name = request.args.get('name', '')
+    template = env.get_template('template.html')
+    return make_response(template.render(name=name))
+
+@app.route('/unsafe')
+def unsafe():
+    return render_response_from_env(unsafe_env)
+
+@app.route('/safe1')
+def safe1():
+    return render_response_from_env(safe1_env)
+
+@app.route('/safe2')
+def safe2():
+    return render_response_from_env(safe2_env)
+
diff --git a/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.expected b/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.expected
@@ -0,0 +1,5 @@
+| jinja2_escaping.py:9:14:9:39 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
+| jinja2_escaping.py:41:5:41:29 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
+| jinja2_escaping.py:43:1:43:3 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
+| jinja2_escaping.py:44:1:44:15 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
+| jinja2_escaping.py:53:15:53:43 | ControlFlowNode for Template() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
diff --git a/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.qlref b/python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.qlref
@@ -0,0 +1 @@
+Security/CWE-079/Jinja2WithoutEscaping.ql
diff --git a/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected b/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
@@ -1,6 +1,8 @@
 edges
 | ../lib/flask/__init__.py:14:19:14:20 | externally controlled string | ../lib/flask/__init__.py:15:19:15:20 | externally controlled string |
 | ../lib/flask/__init__.py:14:19:14:20 | externally controlled string | ../lib/flask/__init__.py:16:25:16:26 | externally controlled string |
+| jinja2_escaping.py:14:12:14:23 | dict of externally controlled string | jinja2_escaping.py:14:12:14:39 | externally controlled string |
+| jinja2_escaping.py:14:12:14:39 | externally controlled string | jinja2_escaping.py:16:47:16:50 | externally controlled string |
 | reflected_xss.py:7:18:7:29 | dict of externally controlled string | reflected_xss.py:7:18:7:45 | externally controlled string |
 | reflected_xss.py:7:18:7:45 | externally controlled string | reflected_xss.py:8:44:8:53 | externally controlled string |
 | reflected_xss.py:8:26:8:53 | externally controlled string | ../lib/flask/__init__.py:14:19:14:20 | externally controlled string |
diff --git a/python/ql/test/query-tests/Security/CWE-079/jinja2_escaping.py b/python/ql/test/query-tests/Security/CWE-079/jinja2_escaping.py
@@ -0,0 +1,55 @@
+
+Environment(loader=templateLoader, autoescape=fake_func())
+from flask import Flask, request, make_response, escape
+from jinja2 import Environment, select_autoescape, FileSystemLoader, Template
+
+app = Flask(__name__)
+loader = FileSystemLoader( searchpath="templates/" )
+
+unsafe_env = Environment(loader=loader)
+safe1_env = Environment(loader=loader, autoescape=True)
+safe2_env = Environment(loader=loader, autoescape=select_autoescape())
+
+def render_response_from_env(env):
+    name = request.args.get('name', '')
+    template = env.get_template('template.html')
+    return make_response(template.render(name=name))
+
+@app.route('/unsafe')
+def unsafe():
+    return render_response_from_env(unsafe_env)
+
+@app.route('/safe1')
+def safe1():
+    return render_response_from_env(safe1_env)
+
+@app.route('/safe2')
+def safe2():
+    return render_response_from_env(safe2_env)
+
+# Explicit autoescape
+
+e = Environment(
+    loader=loader,
+    autoescape=select_autoescape(['html', 'htm', 'xml'])
+) # GOOD
+
+# Additional checks with flow.
+auto = select_autoescape
+e = Environment(autoescape=auto) # GOOD
+z = 0
+e = Environment(autoescape=z) # BAD
+E = Environment
+E() # BAD
+E(autoescape=z) # BAD
+E(autoescape=auto) # GOOD
+E(autoescape=0+1) # GOOD
+
+def checked(cond=False):
+    if cond:
+        e = Environment(autoescape=cond) # GOOD
+
+
+unsafe_tmpl = Template('Hello {{ name }}!')
+safe1_tmpl = Template('Hello {{ name }}!', autoescape=True)
+safe2_tmpl = Template('Hello {{ name }}!', autoescape=select_autoescape())
diff --git a/python/ql/test/query-tests/Security/lib/jinja2.py b/python/ql/test/query-tests/Security/lib/jinja2.py
@@ -0,0 +1,20 @@
+
+class Environment(object):
+
+    def __init__(self, loader, autoescape):
+        pass
+
+class Template(object):
+
+    def __init__(self, source, autoescape):
+        pass
+
+def select_autoescape(files=[]):
+    def autoescape(template_name):
+        pass
+    return autoescape
+
+class FileSystemLoader(object):
+
+    def __init__(self, searchpath):
+        pass

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Security/CWE-079/Jinja2WithoutEscaping.ql`