Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(iast): xss vulnerability for jinja2 template engine #12183

Merged
merged 14 commits into from
Feb 5, 2025
Merged

chore(iast): xss vulnerability for jinja2 template engine #12183

merged 14 commits into from
Feb 5, 2025

Conversation

avara1986
Copy link
Member

@avara1986 avara1986 commented Jan 31, 2025
edited
Loading

xss vulnerability for jinja2 template engine

Checklist

  • PR author has checked that all the criteria below are met
  • The PR description includes an overview of the change
  • The PR description articulates the motivation for the change
  • The change includes tests OR the PR description describes a testing strategy
  • The PR description notes risks associated with the change, if any
  • Newly-added code is easy to change
  • The change follows the library release note guidelines
  • The change includes or references documentation updates if necessary
  • Backport labels are set (if applicable)

Reviewer Checklist

  • Reviewer has checked that all the criteria below are met
  • Title is accurate
  • All changes are related to the pull request's stated goal
  • Avoids breaking API changes
  • Testing strategy adequately addresses listed risks
  • Newly-added code is easy to change
  • Release note makes sense to a user of the library
  • If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
  • Backport labels are set in a manner that is consistent with the release branch maintenance policy

@avara1986 avara1986 added changelog/no-changelog A changelog entry is not required for this PR. ASM Application Security Monitoring labels Jan 31, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 31, 2025
edited
Loading

CODEOWNERS have been resolved as:

tests/contrib/flask/test_templates/test_insecure.html                   @DataDog/apm-core-python @DataDog/apm-idm-python
ddtrace/appsec/_iast/taint_sinks/xss.py                                 @DataDog/asm-python
tests/appsec/integrations/fastapi_tests/test_fastapi_appsec_iast.py     @DataDog/asm-python
tests/appsec/integrations/flask_tests/test_iast_flask.py                @DataDog/asm-python

@datadog-dd-trace-py-rkomorn
Copy link

datadog-dd-trace-py-rkomorn bot commented Jan 31, 2025
edited
Loading

Datadog Report

Branch report: avara1986/APPSEC-56565-xss_jinja2
Commit report: de9139a
Test service: dd-trace-py

✅ 0 Failed, 130 Passed, 1468 Skipped, 4m 26.74s Total duration (35m 43.2s time saved)

@pr-commenter
Copy link

pr-commenter bot commented Jan 31, 2025
edited
Loading

Benchmarks

Benchmark execution time: 2025-02-04 11:41:02

Comparing candidate commit 4346326 in PR branch avara1986/APPSEC-56565-xss_jinja2 with baseline commit 2ccaaef in branch 3.x-staging.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 394 metrics, 2 unstable metrics.

@avara1986 avara1986 changed the base branch from main to 3.x-staging February 4, 2025 10:11
@avara1986 avara1986 force-pushed the avara1986/APPSEC-56565-xss_jinja2 branch from de9139a to f5c0dd8 Compare February 4, 2025 10:11
@avara1986 avara1986 marked this pull request as ready for review February 4, 2025 14:56
@avara1986 avara1986 requested review from a team as code owners February 4, 2025 14:56
@avara1986 avara1986 merged commit a8760c6 into 3.x-staging Feb 5, 2025
364 of 365 checks passed
@avara1986 avara1986 deleted the avara1986/APPSEC-56565-xss_jinja2 branch February 5, 2025 07:45
ZStriker19 pushed a commit that referenced this pull request Feb 6, 2025
@avara1986 @ZStriker19
chore(iast): xss vulnerability for jinja2 template engine (#12183)
99dcff4 
xss vulnerability for jinja2 template engine

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
gnufede pushed a commit that referenced this pull request Feb 19, 2025
@avara1986 @gnufede
chore(iast): xss vulnerability for jinja2 template engine (#12183)
d02914b 
xss vulnerability for jinja2 template engine

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juanjux juanjux juanjux approved these changes

@wantsui wantsui wantsui approved these changes

@erikayasuda erikayasuda Awaiting requested review from erikayasuda erikayasuda is a code owner automatically assigned from DataDog/apm-core-python

Assignees
No one assigned
Labels
ASM Application Security Monitoring changelog/no-changelog A changelog entry is not required for this PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@avara1986 @juanjux @wantsui