Mercurial Repositories > eric / file comparison
comparison: src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/markupsafeMarkupXSS.py
src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/markupsafeMarkupXSS.py
- branch
- eric7
- changeset 11297
- 2c773823fb7d
- child 11300
- 0119e3818e12
equal
deleted
inserted
replaced
| 11296:2894ef54fe84 | 11297:2c773823fb7d |
|---|---|
| 1 # -*- coding: utf-8 -*- | |
| 2 | |
| 3 # Copyright (c) 2025 Detlev Offenbach <detlev@die-offenbachs.de> | |
| 4 # | |
| 5 | |
| 6 """ | |
| 7 Module implementing checks for potential XSS on markupsafe.Markup use. | |
| 8 """ | |
| 9 | |
| 10 # | |
| 11 # This is a modified version of the one found in the bandit package. | |
| 12 # | |
| 13 # Copyright (c) 2025 David Salvisberg | |
| 14 # | |
| 15 # SPDX-License-Identifier: Apache-2.0 | |
| 16 # | |
| 17 | |
| 18 import ast | |
| 19 | |
| 20 from Security import SecurityUtils | |
| 21 from Security.SecurityDefaults import SecurityDefaults | |
| 22 | |
| 23 | |
| 24 def getChecks(): | |
| 25 """ | |
| 26 Public method to get a dictionary with checks handled by this module. | |
| 27 | |
| 28 @return dictionary containing checker lists containing checker function and | |
| 29 list of codes | |
| 30 @rtype dict | |
| 31 """ | |
| 32 return { | |
| 33 "Call": [ | |
| 34 (markupsafeMarkupXss, ("S-704",)), | |
| 35 ], | |
| 36 } | |
| 37 | |
| 38 | |
| 39 def markupsafeMarkupXss(reportError, context, config): | |
| 40 """ | |
| 41 Function to check for potential XSS on markupsafe.Markup use. | |
| 42 | |
| 43 @param reportError function to be used to report errors | |
| 44 @type func | |
| 45 @param context security context object | |
| 46 @type SecurityContext | |
| 47 @param config dictionary with configuration data (unused) | |
| 48 @type dict | |
| 49 """ | |
| 50 | |
| 51 qualname = context.callFunctionNameQual | |
| 52 if qualname not in ("markupsafe.Markup", "flask.Markup"): | |
| 53 if qualname not in config.get( | |
| 54 "extend_markup_names", SecurityDefaults["extend_markup_names"] | |
| 55 ): | |
| 56 # not a Markup call | |
| 57 return None | |
| 58 | |
| 59 args = context.node.args | |
| 60 if not args or isinstance(args[0], ast.Constant): | |
| 61 # both no arguments and a constant are fine | |
| 62 return None | |
| 63 | |
| 64 allowedCalls = config.get("allowed_calls", SecurityDefaults["allowed_calls"]) | |
| 65 if ( | |
| 66 allowedCalls | |
| 67 and isinstance(args[0], ast.Call) | |
| 68 and SecurityUtils.getCallName(args[0], context.importAliases) in allowedCalls | |
| 69 ): | |
| 70 # the argument contains a whitelisted call | |
| 71 return None | |
| 72 | |
| 73 reportError( | |
| 74 context.node.lineno - 1, | |
| 75 context.node.col_offset, | |
| 76 "S-704", | |
| 77 "M", | |
| 78 "H", | |
| 79 qualname, | |
| 80 context.callFunctionName, | |
| 81 ) |
