Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5247

Disabling auto-escaping in template engines is security-sensitive

    Details

    • Message:
      Make sure disabling auto-escaping feature is safe here.
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, Java, JavaScript, Kotlin, Objective-C, PHP, PL/I, PL/SQL, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Covered Languages:
      Python
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-79, CWE-80, CWE-81, CWE-82, CWE-83, CWE-84, CWE-85, CWE-86, CWE-87
    • OWASP:
      A7, A9
    • SANS Top 25:
      Insecure Interaction Between Components

      Description

      To reduce the risk of cross-site scripting attacks, templating systems, such as Twig, Django, Smarty, Groovy's template engine, allow configuration of automatic variable escaping before rendering templates. When escape occurs, characters that make sense to the browser (eg: <a>) will be transformed/replaced with escaped/sanitized values (eg: & lt;a& gt; ).

      Auto-escaping is not a magic feature to annihilate all cross-site scripting attacks, it depends on the strategy applied and the context, for example a "html auto-escaping" strategy (which only transforms html characters into html entities) will not be relevant when variables are used in a html attribute because ':' character is not escaped and thus an attack as below is possible:

      <a href="{{ myLink }}">link</a> // myLink = javascript:alert(document.cookie)
      <a href="javascript:alert(document.cookie)">link</a> // JS injection (XSS attack)
      

      Ask Yourself Whether

      • Templates are used to render web content and
        • dynamic variables in templates come from untrusted locations or are user-controlled inputs
        • there is no local mechanism in place to sanitize or validate the inputs.

      You are at risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • Enable auto-escaping by default and continue to review the use of inputs in order to be sure that the chosen auto-escaping strategy is the right one.

      See

        Attachments

          Issue Links

          1.
          JavaScript RSPEC-5248 Language-Specification Active Unassigned
          2.
          XML RSPEC-5249 Language-Specification Active Unassigned
          3.
          PHP RSPEC-5252 Language-Specification Active Unassigned
          4.
          HTML RSPEC-5347 Language-Specification Active Unassigned
          5.
          Python RSPEC-5442 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                lars.svensson Lars Svensson (Inactive)
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: