by Grayson Hardaway, Engineering @ r2c
get this check now in Bento: https://bento.dev
Sometimes… Jinja templates will bite you.
Some of us at r2c occasionally have a personal coding project going. A few months ago, I built a classified ads-style web application for splitting the cost of rooms at an upcoming event I’m planning. I chose to write the app using Flask to get inspiration for the custom Flask checks going in to our program analysis tool, Bento.
The app itself was simple, consisting of create, read, update, and delete routes for room-sharers, using DynamoDB for storage. It used only two templates — a landing page template with all the ”ads“ and an email template that included edit and delete links, similar to how Craigslist works.
Meanwhile at r2c, checking the security of Jinja templates was highly requested. Jinja templates can be scary, especially given that autoescaping is not enabled by default. Flask, which internally uses Jinja, enables autoescaping to mitigate cross-site scripting (XSS) attacks. However, this line in the Flask documentation gave me a shock:
Unless customized, Jinja2 is configured by Flask as follows: autoescaping is enabled for all templates ending in
.xmlas well as
Huh. My landing page template had a
.html extension, but my email template had a
Welp. 😐 Since the mail library I used was sending an HTML email, it turns out I could XSS my little app. And so, allow me to introduce this check which looks for calls to
render_template() that don’t use one of the four valid extensions!
The check will detect these cases.
# Unescaped template extensions @app.route("/unsafe") def unsafe(): return render_template("unsafe.txt", name=request.args.get("name")) @app.route("/another_unsafe") def another_unsafe(): return render_template("unsafe.jinja2", name=request.args.get("name"))
The check considers these cases acceptable.
# Autoescaped template extension @app.route("/safe") def safe(): return render_template("safe.html", name=request.args.get("name")) # No variables @app.route("no_vars") def no_vars(): return render_template("unsafe.txt"))
As always, we use our program analysis platform to see what the check looks like when run over real code. Of the 715 Flask apps on GitHub we used as our test set, the check fired on 13 repos. Here’s a breakdown of the template extensions which fired:
|extension||number of repos|
You can check your own codebase right now with Bento:
$ pip3 install bento-cli && bento init