Jump to: navigation, search

OSSN/OSSN-0070

< OSSN
Revision as of 13:01, 30 August 2016 by Lhinds (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Bandit versions lower than 1.1.0 do not escape HTML in issue reports

Summary

Bandit versions lower than 1.1.0 have a bug in the HTML report formatter that does not escape HTML in issue context snippets. This could lead to an XSS if HTML reports are hosted as part of a CI pipeline.

Affected Services / Software

Bandit: < 1.1.0

Discussion

Bandit versions lower than 1.1.0 have a bug in the HTML report formatter that does not escape HTML in issue context snippets. This could lead to an XSS attack if HTML reports are hosted as part of a CI pipeline because HTML in the source code would be copied verbatim into the report. For example: 

 import subprocess
 subprocess.Popen("<script>alert(1)</script>", shell=True)

Will cause "<script>alert(1)</script>" to be inserted into the HTML report. This issue could allow for arbitrary code injection into CI/CD pipelines that feature accessible HTML reports generated from Bandit runs.

Recommended Actions

Update bandit to version 1.1.0 or greater.

Contacts / References

Retrieved from "https://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0070&oldid=132261"