-
Notifications
You must be signed in to change notification settings - Fork 225
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Jinja2 template rendering with autoescape enabled #690
Conversation
please review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also add this change to the other Jinja2 Template call?
It is used here: src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/initial_commit/initial_commit.py
Add autoescape=True to avoid XSS
Hi @sbkok based on your comment i updated a file which you mentioned please review , Thanks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for contributing this.
* add autoescape true * Update initial_commit.py with space * Update initial_commit.py Add autoescape=True to avoid XSS
The upcoming v4 release will introduce breaking changes. As always, it is recommended to thoroughly review and test the upgrade procedure in a non-production environment. Unfortunately, a few issues popped up in ADF v3.2.0 that block a clean installation in a new environment. Making it harder to test the upgrade process. This release resolves those issues and includes an updated installer for ADF to simplify installation. We hope this shortens the time required to prepare for the v4 upgrade. --- **Fixes 🐞** * Fix management account config alias through ADF account management (awslabs#596) by @sbkok. * Fix CodeBuild stage naming bug (awslabs#628) by @pozeus. * Fix Jinja2 template rendering with autoescape enabled (awslabs#690) by @sujay0412. * Fix missing deployment_account_id and initial deployment global IAM bootstrap (awslabs#686) by @sbkok, resolves awslabs#594 and awslabs#659. * Fix permissions to enable delete default VPC in management account (awslabs#699) by @sbkok. * Fix tagging of Cross Account Access role in the management account (awslabs#700) by @sbkok. * Fix CloudFormation cross-region changeset approval (awslabs#701) by @sbkok. * Fix clean bootstrap of the deployment account (awslabs#703) by @sbkok, resolves awslabs#696. * Bump Jinja2 from 3.1.3 to 3.1.4 (awslabs#720 and awslabs#721) by @dependabot. * Fix account management lambdas in v3.2 (awslabs#729) by @sbkok. --- **Installation enhancements 🚀** This release is the first release with the new installation process baked in. Please read the [Installation Guide](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/installation-guide.md) how to install ADF. In case you are upgrading, please follow [the admin guide on updating ADF](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/admin-guide.md#updating-between-versions) instead. Changes baked into this release to support the new installation process: * New install process (awslabs#677) by @sbkok. * Install: Add checks to ensure installer dependencies are available (awslabs#702) by @sbkok. * Install: Add version checks and pre-deploy warnings (awslabs#726) by @sbkok. * Ensure tox fails at first pytest failure (awslabs#686) by @sbkok.
The upcoming v4 release will introduce breaking changes. As always, it is recommended to thoroughly review and test the upgrade procedure in a non-production environment. Unfortunately, a few issues popped up in ADF v3.2.0 that block a clean installation in a new environment. Making it harder to test the upgrade process. This release resolves those issues and includes an updated installer for ADF to simplify installation. We hope this shortens the time required to prepare for the v4 upgrade. --- **Fixes 🐞** * Fix management account config alias through ADF account management (awslabs#596) by @sbkok. * Fix CodeBuild stage naming bug (awslabs#628) by @pozeus. * Fix Jinja2 template rendering with autoescape enabled (awslabs#690) by @sujay0412. * Fix missing deployment_account_id and initial deployment global IAM bootstrap (awslabs#686) by @sbkok, resolves awslabs#594 and awslabs#659. * Fix permissions to enable delete default VPC in management account (awslabs#699) by @sbkok. * Fix tagging of Cross Account Access role in the management account (awslabs#700) by @sbkok. * Fix CloudFormation cross-region changeset approval (awslabs#701) by @sbkok. * Fix clean bootstrap of the deployment account (awslabs#703) by @sbkok, resolves awslabs#696. * Bump Jinja2 from 3.1.3 to 3.1.4 (awslabs#720 and awslabs#721) by @dependabot. * Fix account management lambdas in v3.2 (awslabs#729) by @sbkok. --- **Installation enhancements 🚀** This release is the first release with the new installation process baked in. Please read the [Installation Guide](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/installation-guide.md) how to install ADF. In case you are upgrading, please follow [the admin guide on updating ADF](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/admin-guide.md#updating-between-versions) instead. Changes baked into this release to support the new installation process: * New install process (awslabs#677) by @sbkok. * Install: Add checks to ensure installer dependencies are available (awslabs#702) by @sbkok. * Install: Add version checks and pre-deploy warnings (awslabs#726) by @sbkok. * Ensure tox fails at first pytest failure (awslabs#686) by @sbkok.
The upcoming v4 release will introduce breaking changes. As always, it is recommended to thoroughly review and test the upgrade procedure in a non-production environment. Unfortunately, a few issues popped up in ADF v3.2.0 that block a clean installation in a new environment. Making it harder to test the upgrade process. This release resolves those issues and includes an updated installer for ADF to simplify installation. We hope this shortens the time required to prepare for the v4 upgrade. --- **Fixes 🐞** * Fix management account config alias through ADF account management (awslabs#596) by @sbkok. * Fix CodeBuild stage naming bug (awslabs#628) by @pozeus. * Fix Jinja2 template rendering with autoescape enabled (awslabs#690) by @sujay0412. * Fix missing deployment_account_id and initial deployment global IAM bootstrap (awslabs#686) by @sbkok, resolves awslabs#594 and awslabs#659. * Fix permissions to enable delete default VPC in management account (awslabs#699) by @sbkok. * Fix tagging of Cross Account Access role in the management account (awslabs#700) by @sbkok. * Fix CloudFormation cross-region changeset approval (awslabs#701) by @sbkok. * Fix clean bootstrap of the deployment account (awslabs#703) by @sbkok, resolves awslabs#696. * Bump Jinja2 from 3.1.3 to 3.1.4 (awslabs#720 and awslabs#721) by @dependabot. * Fix account management lambdas in v3.2 (awslabs#729) by @sbkok. * Fix management account missing required IAM Tag Role permission in v3.2 (awslabs#729) by @sbkok. --- **Installation enhancements 🚀** This release is the first release with the new installation process baked in. Please read the [Installation Guide](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/installation-guide.md) how to install ADF. In case you are upgrading, please follow [the admin guide on updating ADF](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/admin-guide.md#updating-between-versions) instead. Changes baked into this release to support the new installation process: * New install process (awslabs#677) by @sbkok. * Ensure tox fails at first pytest failure (awslabs#686) by @sbkok. * Install: Add checks to ensure installer dependencies are available (awslabs#702) by @sbkok. * Install: Add version checks and pre-deploy warnings (awslabs#726) by @sbkok. * Install: Add uncommitted changes check (awslabs#733)
The upcoming v4 release will introduce breaking changes. As always, it is recommended to thoroughly review and test the upgrade procedure in a non-production environment. Unfortunately, a few issues popped up in ADF v3.2.0 that block a clean installation in a new environment. Making it harder to test the upgrade process. This release resolves those issues and includes an updated installer for ADF to simplify installation. We hope this shortens the time required to prepare for the v4 upgrade. --- **Fixes 🐞** * Fix management account config alias through ADF account management (awslabs#596) by @sbkok. * Fix CodeBuild stage naming bug (awslabs#628) by @pozeus. * Fix Jinja2 template rendering with autoescape enabled (awslabs#690) by @sujay0412. * Fix missing deployment_account_id and initial deployment global IAM bootstrap (awslabs#686) by @sbkok, resolves awslabs#594 and awslabs#659. * Fix permissions to enable delete default VPC in management account (awslabs#699) by @sbkok. * Fix tagging of Cross Account Access role in the management account (awslabs#700) by @sbkok. * Fix CloudFormation cross-region changeset approval (awslabs#701) by @sbkok. * Fix clean bootstrap of the deployment account (awslabs#703) by @sbkok, resolves awslabs#696. * Bump Jinja2 from 3.1.3 to 3.1.4 (awslabs#720 and awslabs#721) by @dependabot. * Fix account management lambdas in v3.2 (awslabs#729) by @sbkok. * Fix management account missing required IAM Tag Role permission in v3.2 (awslabs#729) by @sbkok. --- **Installation enhancements 🚀** This release is the first release with the new installation process baked in. Please read the [Installation Guide](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/installation-guide.md) how to install ADF. In case you are upgrading, please follow [the admin guide on updating ADF](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/admin-guide.md#updating-between-versions) instead. Changes baked into this release to support the new installation process: * New install process (awslabs#677) by @sbkok. * Ensure tox fails at first pytest failure (awslabs#686) by @sbkok. * Install: Add checks to ensure installer dependencies are available (awslabs#702) by @sbkok. * Install: Add version checks and pre-deploy warnings (awslabs#726) by @sbkok. * Install: Add uncommitted changes check (awslabs#733)
* add autoescape true * Update initial_commit.py with space * Update initial_commit.py Add autoescape=True to avoid XSS
The upcoming v4 release will introduce breaking changes. As always, it is recommended to thoroughly review and test the upgrade procedure in a non-production environment. Unfortunately, a few issues popped up in ADF v3.2.0 that block a clean installation in a new environment. Making it harder to test the upgrade process. This release resolves those issues and includes an updated installer for ADF to simplify installation. We hope this shortens the time required to prepare for the v4 upgrade. --- **Fixes 🐞** * Fix management account config alias through ADF account management (#596) by @sbkok. * Fix CodeBuild stage naming bug (#628) by @pozeus. * Fix Jinja2 template rendering with autoescape enabled (#690) by @sujay0412. * Fix missing deployment_account_id and initial deployment global IAM bootstrap (#686) by @sbkok, resolves #594 and #659. * Fix permissions to enable delete default VPC in management account (#699) by @sbkok. * Fix tagging of Cross Account Access role in the management account (#700) by @sbkok. * Fix CloudFormation cross-region changeset approval (#701) by @sbkok. * Fix clean bootstrap of the deployment account (#703) by @sbkok, resolves #696. * Bump Jinja2 from 3.1.3 to 3.1.4 (#720 and #721) by @dependabot. * Fix account management lambdas in v3.2 (#729) by @sbkok. * Fix management account missing required IAM Tag Role permission in v3.2 (#729) by @sbkok. --- **Installation enhancements 🚀** This release is the first release with the new installation process baked in. Please read the [Installation Guide](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/installation-guide.md) how to install ADF. In case you are upgrading, please follow [the admin guide on updating ADF](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/admin-guide.md#updating-between-versions) instead. Changes baked into this release to support the new installation process: * New install process (#677) by @sbkok. * Ensure tox fails at first pytest failure (#686) by @sbkok. * Install: Add checks to ensure installer dependencies are available (#702) by @sbkok. * Install: Add version checks and pre-deploy warnings (#726) by @sbkok. * Install: Add uncommitted changes check (#733)
Why?
We are using aws-deployment-framework for deployments. In our AWS accounts we are solving an Security Hub findings.
One of the finding found is referenced as CWE-20,79,80 - Cross-site scripting(XSS) with high security labelled.
The issue is in the Jinja2 library, as used by
initial_commit.py
files. There was noautoescape=True
.I added the
autoescape=True
attribute to resolve this.With these changes, the finding related with XSS is resolved in our AWS account.
Please consider this in next release.
Security-hub finding issue -CWE-20,79,80 - Cross-site scripting
What?
Description of changes:
autoescape=True
to resolve the XSS issue while rendering Jinja2 templates.By submitting this pull request, I confirm that you can use, modify, copy, and
redistribute this contribution, under the terms of your choice.