Fix Bandit check

Bandit has started to fail on master. >> Issue: [B701:jinja2_autoescape_false] Using jinja2 templates with autoescape=False is dangerous and can lead to XSS. Ensure autoescape=True or use the select_autoescape function to mitigate XSS vulnerabilities. Severity: High Confidence: Medium Location: ironic/common/utils.py:491 More Info: https://bandit.readthedocs.io/en/latest/plugins/b701_jinja2_autoescape_false.html 489 # NOTE(pas-ha) not using default_for_string=False as we set the name 490 # of the template above for strings too. 491 env = jinja2.Environment( 492 loader=loader, 493 autoescape=jinja2.select_autoescape(), 494 undefined=jinja2.StrictUndefined if strict else jinja2.Undefined 495 ) It appears that Arun changed this around a little in https://review.opendev.org/c/openstack/ironic/+/777448/10/ironic/common/utils.py however this doesn't seem to pass reliably. As such, I'm returning the notation of the label to the first line as it was before, which seems to consistently pass bandit checking. Change-Id: I7f5b7323b108b303b5b77609d5903128d4adca3c
2021-03-29 14:31:32 -07:00 · 2021-03-29 14:31:32 -07:00 · 4afbf74798
commit 4afbf74798
parent 851aac397e
1 changed files with 2 additions and 2 deletions
--- a/ironic/common/utils.py
+++ b/ironic/common/utils.py
@ -488,9 +488,9 @@ def render_template(template, params, is_file=True, strict=False):
    # and still complains with B701 for that line
    # NOTE(pas-ha) not using default_for_string=False as we set the name
    # of the template above for strings too.
-    env = jinja2.Environment(
+    env = jinja2.Environment(  # nosec B701
        loader=loader,
-        autoescape=jinja2.select_autoescape(),  # nosec B701
+        autoescape=jinja2.select_autoescape(),
        undefined=jinja2.StrictUndefined if strict else jinja2.Undefined
    )
    tmpl = env.get_template(tmpl_name)