From ad387c02bc29ec874bfff5e0d313b80901df112c Mon Sep 17 00:00:00 2001
From: Tim Kelsey <tim.kelsey@hpe.com>
Date: Mon, 15 Aug 2016 15:27:35 +0100
Subject: [PATCH] OSSN-0070: bandit version < 1.1.0 have possible XSS

Closes-bug: #1612988
Change-Id: Ibdbbc02f8f2f4ab33fc7a1c33f6c2a89d2380c81
---
 security-notes/OSSN-0070 | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 security-notes/OSSN-0070

diff --git a/security-notes/OSSN-0070 b/security-notes/OSSN-0070
new file mode 100644
index 00000000..8dbb7819
--- /dev/null
+++ b/security-notes/OSSN-0070
@@ -0,0 +1,34 @@
+Bandit versions lower than 1.1.0 do not escape HTML in issue reports
+---
+
+### Summary ###
+Bandit versions lower than 1.1.0 have a bug in the HTML report formatter that
+does not escape HTML in issue context snippets. This could lead to an XSS if
+HTML reports are hosted as part of a CI pipeline.
+
+### Affected Services / Software ###
+Bandit: < 1.1.0
+
+### Discussion ###
+Bandit versions lower than 1.1.0 have a bug in the HTML report formatter that
+does not escape HTML in issue context snippets. This could lead to an XSS
+attack if HTML reports are hosted as part of a CI pipeline because HTML in the
+source code would be copied verbatim into the report. For example:
+
+  import subprocess
+  subprocess.Popen("<script>alert(1)</script>", shell=True)
+
+Will cause "<script>alert(1)</script>" to be inserted into the HTML report.
+This issue could allow for arbitrary code injection into CI/CD pipelines that
+feature accessible HTML reports generated from Bandit runs.
+
+### Recommended Actions ###
+Update bandit to version 1.1.0 or greater.
+
+### Contacts / References ###
+Author: Tim Kelsey <tim.kelsey@hpe.com>, HPE
+This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0063
+Original LaunchPad Bug : https://bugs.launchpad.net/bandit/+bug/1612988
+OpenStack Security ML : openstack-security@lists.openstack.org
+OpenStack Security Group : https://launchpad.net/~openstack-ossg
+CVE: N/A