Last active
July 9, 2021 15:39
-
-
Save minusworld/296fac173631c486663090b1efaeacaf to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rules: | |
- id: user-input-unescaped-extension | |
mode: join | |
join: | |
refs: | |
- rule: https://raw.githubusercontent.com/minusworld/semgrep-library/main/rules/flask/flask-user-input.yaml | |
as: user-input | |
- rule: https://raw.githubusercontent.com/minusworld/semgrep-library/main/rules/flask/unescaped-template-extension.yaml | |
as: unescaped-extensions | |
- rule: https://raw.githubusercontent.com/minusworld/semgrep-library/main/rules/flask/any-template-var.yaml | |
renames: | |
- from: '$...EXPR' | |
to: '$VAR' | |
as: template-vars | |
on: | |
- 'user-input.$VAR == unescaped-extensions.$VALUE' | |
- 'unescaped-extensions.$VAR == template-vars.$VAR' | |
- 'unescaped-extensions.$PATH ~ template-vars.path' | |
message: >- | |
The variable '$VAR' is most likely an XSS. This variable originates | |
from user input and is rendered in an unescaped manner. An attacker | |
could control this variable and input scripts onto rendered pages, | |
resulting in all manner of bad juju. | |
The best fix is to make sure your template extensions end in '.html', | |
which automatically escapes rendered variables. | |
severity: ERROR | |
metadata: | |
hi: hi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment