Fix Jinja2 template rendering with autoescape enabled #690
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
faridnsh
reviewed
Feb 22, 2024
|
please review |
sbkok
requested changes
Mar 26, 2024
There was a problem hiding this comment.
Can you also add this change to the other Jinja2 Template call?
It is used here: src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/initial_commit/initial_commit.py
Add autoescape=True to avoid XSS
|
Hi @sbkok based on your comment i updated a file which you mentioned please review , Thanks |
sbkok
changed the title
sbkok
approved these changes
Apr 5, 2024
javydekoning
approved these changes
Apr 5, 2024
sbkok
pushed a commit
to sbkok/aws-deployment-framework
that referenced
this pull request
May 16, 2024
* add autoescape true * Update initial_commit.py with space * Update initial_commit.py Add autoescape=True to avoid XSS
sbkok
added a commit
to sbkok/aws-deployment-framework
that referenced
this pull request
May 17, 2024
The upcoming v4 release will introduce breaking changes. As always, it is recommended to thoroughly review and test the upgrade procedure in a non-production environment. Unfortunately, a few issues popped up in ADF v3.2.0 that block a clean installation in a new environment. Making it harder to test the upgrade process. This release resolves those issues and includes an updated installer for ADF to simplify installation. We hope this shortens the time required to prepare for the v4 upgrade. --- **Fixes 🐞** * Fix management account config alias through ADF account management (awslabs#596) by @sbkok. * Fix CodeBuild stage naming bug (awslabs#628) by @pozeus. * Fix Jinja2 template rendering with autoescape enabled (awslabs#690) by @sujay0412. * Fix missing deployment_account_id and initial deployment global IAM bootstrap (awslabs#686) by @sbkok, resolves awslabs#594 and awslabs#659. * Fix permissions to enable delete default VPC in management account (awslabs#699) by @sbkok. * Fix tagging of Cross Account Access role in the management account (awslabs#700) by @sbkok. * Fix CloudFormation cross-region changeset approval (awslabs#701) by @sbkok. * Fix clean bootstrap of the deployment account (awslabs#703) by @sbkok, resolves awslabs#696. * Bump Jinja2 from 3.1.3 to 3.1.4 (awslabs#720 and awslabs#721) by @dependabot. * Fix account management lambdas in v3.2 (awslabs#729) by @sbkok. --- **Installation enhancements 🚀** This release is the first release with the new installation process baked in. Please read the [Installation Guide](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/installation-guide.md) how to install ADF. In case you are upgrading, please follow [the admin guide on updating ADF](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/admin-guide.md#updating-between-versions) instead. Changes baked into this release to support the new installation process: * New install process (awslabs#677) by @sbkok. * Install: Add checks to ensure installer dependencies are available (awslabs#702) by @sbkok. * Install: Add version checks and pre-deploy warnings (awslabs#726) by @sbkok. * Ensure tox fails at first pytest failure (awslabs#686) by @sbkok.
Merged
sbkok
added a commit
to sbkok/aws-deployment-framework
that referenced
this pull request
May 23, 2024
The upcoming v4 release will introduce breaking changes. As always, it is recommended to thoroughly review and test the upgrade procedure in a non-production environment. Unfortunately, a few issues popped up in ADF v3.2.0 that block a clean installation in a new environment. Making it harder to test the upgrade process. This release resolves those issues and includes an updated installer for ADF to simplify installation. We hope this shortens the time required to prepare for the v4 upgrade. --- **Fixes 🐞** * Fix management account config alias through ADF account management (awslabs#596) by @sbkok. * Fix CodeBuild stage naming bug (awslabs#628) by @pozeus. * Fix Jinja2 template rendering with autoescape enabled (awslabs#690) by @sujay0412. * Fix missing deployment_account_id and initial deployment global IAM bootstrap (awslabs#686) by @sbkok, resolves awslabs#594 and awslabs#659. * Fix permissions to enable delete default VPC in management account (awslabs#699) by @sbkok. * Fix tagging of Cross Account Access role in the management account (awslabs#700) by @sbkok. * Fix CloudFormation cross-region changeset approval (awslabs#701) by @sbkok. * Fix clean bootstrap of the deployment account (awslabs#703) by @sbkok, resolves awslabs#696. * Bump Jinja2 from 3.1.3 to 3.1.4 (awslabs#720 and awslabs#721) by @dependabot. * Fix account management lambdas in v3.2 (awslabs#729) by @sbkok. --- **Installation enhancements 🚀** This release is the first release with the new installation process baked in. Please read the [Installation Guide](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/installation-guide.md) how to install ADF. In case you are upgrading, please follow [the admin guide on updating ADF](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/admin-guide.md#updating-between-versions) instead. Changes baked into this release to support the new installation process: * New install process (awslabs#677) by @sbkok. * Install: Add checks to ensure installer dependencies are available (awslabs#702) by @sbkok. * Install: Add version checks and pre-deploy warnings (awslabs#726) by @sbkok. * Ensure tox fails at first pytest failure (awslabs#686) by @sbkok.
sbkok
added a commit
to sbkok/aws-deployment-framework
that referenced
this pull request
May 24, 2024
The upcoming v4 release will introduce breaking changes. As always, it is recommended to thoroughly review and test the upgrade procedure in a non-production environment. Unfortunately, a few issues popped up in ADF v3.2.0 that block a clean installation in a new environment. Making it harder to test the upgrade process. This release resolves those issues and includes an updated installer for ADF to simplify installation. We hope this shortens the time required to prepare for the v4 upgrade. --- **Fixes 🐞** * Fix management account config alias through ADF account management (awslabs#596) by @sbkok. * Fix CodeBuild stage naming bug (awslabs#628) by @pozeus. * Fix Jinja2 template rendering with autoescape enabled (awslabs#690) by @sujay0412. * Fix missing deployment_account_id and initial deployment global IAM bootstrap (awslabs#686) by @sbkok, resolves awslabs#594 and awslabs#659. * Fix permissions to enable delete default VPC in management account (awslabs#699) by @sbkok. * Fix tagging of Cross Account Access role in the management account (awslabs#700) by @sbkok. * Fix CloudFormation cross-region changeset approval (awslabs#701) by @sbkok. * Fix clean bootstrap of the deployment account (awslabs#703) by @sbkok, resolves awslabs#696. * Bump Jinja2 from 3.1.3 to 3.1.4 (awslabs#720 and awslabs#721) by @dependabot. * Fix account management lambdas in v3.2 (awslabs#729) by @sbkok. * Fix management account missing required IAM Tag Role permission in v3.2 (awslabs#729) by @sbkok. --- **Installation enhancements 🚀** This release is the first release with the new installation process baked in. Please read the [Installation Guide](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/installation-guide.md) how to install ADF. In case you are upgrading, please follow [the admin guide on updating ADF](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/admin-guide.md#updating-between-versions) instead. Changes baked into this release to support the new installation process: * New install process (awslabs#677) by @sbkok. * Ensure tox fails at first pytest failure (awslabs#686) by @sbkok. * Install: Add checks to ensure installer dependencies are available (awslabs#702) by @sbkok. * Install: Add version checks and pre-deploy warnings (awslabs#726) by @sbkok. * Install: Add uncommitted changes check (awslabs#733)
sbkok
added a commit
to sbkok/aws-deployment-framework
that referenced
this pull request
May 24, 2024
The upcoming v4 release will introduce breaking changes. As always, it is recommended to thoroughly review and test the upgrade procedure in a non-production environment. Unfortunately, a few issues popped up in ADF v3.2.0 that block a clean installation in a new environment. Making it harder to test the upgrade process. This release resolves those issues and includes an updated installer for ADF to simplify installation. We hope this shortens the time required to prepare for the v4 upgrade. --- **Fixes 🐞** * Fix management account config alias through ADF account management (awslabs#596) by @sbkok. * Fix CodeBuild stage naming bug (awslabs#628) by @pozeus. * Fix Jinja2 template rendering with autoescape enabled (awslabs#690) by @sujay0412. * Fix missing deployment_account_id and initial deployment global IAM bootstrap (awslabs#686) by @sbkok, resolves awslabs#594 and awslabs#659. * Fix permissions to enable delete default VPC in management account (awslabs#699) by @sbkok. * Fix tagging of Cross Account Access role in the management account (awslabs#700) by @sbkok. * Fix CloudFormation cross-region changeset approval (awslabs#701) by @sbkok. * Fix clean bootstrap of the deployment account (awslabs#703) by @sbkok, resolves awslabs#696. * Bump Jinja2 from 3.1.3 to 3.1.4 (awslabs#720 and awslabs#721) by @dependabot. * Fix account management lambdas in v3.2 (awslabs#729) by @sbkok. * Fix management account missing required IAM Tag Role permission in v3.2 (awslabs#729) by @sbkok. --- **Installation enhancements 🚀** This release is the first release with the new installation process baked in. Please read the [Installation Guide](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/installation-guide.md) how to install ADF. In case you are upgrading, please follow [the admin guide on updating ADF](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/admin-guide.md#updating-between-versions) instead. Changes baked into this release to support the new installation process: * New install process (awslabs#677) by @sbkok. * Ensure tox fails at first pytest failure (awslabs#686) by @sbkok. * Install: Add checks to ensure installer dependencies are available (awslabs#702) by @sbkok. * Install: Add version checks and pre-deploy warnings (awslabs#726) by @sbkok. * Install: Add uncommitted changes check (awslabs#733)
sbkok
pushed a commit
that referenced
this pull request
May 27, 2024
* add autoescape true * Update initial_commit.py with space * Update initial_commit.py Add autoescape=True to avoid XSS
sbkok
added a commit
that referenced
this pull request
May 27, 2024
The upcoming v4 release will introduce breaking changes. As always, it is recommended to thoroughly review and test the upgrade procedure in a non-production environment. Unfortunately, a few issues popped up in ADF v3.2.0 that block a clean installation in a new environment. Making it harder to test the upgrade process. This release resolves those issues and includes an updated installer for ADF to simplify installation. We hope this shortens the time required to prepare for the v4 upgrade. --- **Fixes 🐞** * Fix management account config alias through ADF account management (#596) by @sbkok. * Fix CodeBuild stage naming bug (#628) by @pozeus. * Fix Jinja2 template rendering with autoescape enabled (#690) by @sujay0412. * Fix missing deployment_account_id and initial deployment global IAM bootstrap (#686) by @sbkok, resolves #594 and #659. * Fix permissions to enable delete default VPC in management account (#699) by @sbkok. * Fix tagging of Cross Account Access role in the management account (#700) by @sbkok. * Fix CloudFormation cross-region changeset approval (#701) by @sbkok. * Fix clean bootstrap of the deployment account (#703) by @sbkok, resolves #696. * Bump Jinja2 from 3.1.3 to 3.1.4 (#720 and #721) by @dependabot. * Fix account management lambdas in v3.2 (#729) by @sbkok. * Fix management account missing required IAM Tag Role permission in v3.2 (#729) by @sbkok. --- **Installation enhancements 🚀** This release is the first release with the new installation process baked in. Please read the [Installation Guide](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/installation-guide.md) how to install ADF. In case you are upgrading, please follow [the admin guide on updating ADF](https://github.com/awslabs/aws-deployment-framework/blob/make/latest/docs/admin-guide.md#updating-between-versions) instead. Changes baked into this release to support the new installation process: * New install process (#677) by @sbkok. * Ensure tox fails at first pytest failure (#686) by @sbkok. * Install: Add checks to ensure installer dependencies are available (#702) by @sbkok. * Install: Add version checks and pre-deploy warnings (#726) by @sbkok. * Install: Add uncommitted changes check (#733)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why?
We are using aws-deployment-framework for deployments. In our AWS accounts we are solving an Security Hub findings.
One of the finding found is referenced as CWE-20,79,80 - Cross-site scripting(XSS) with high security labelled.
The issue is in the Jinja2 library, as used by
initial_commit.pyfiles. There was noautoescape=True.I added the
autoescape=Trueattribute to resolve this.With these changes, the finding related with XSS is resolved in our AWS account.
Please consider this in next release.
Security-hub finding issue -CWE-20,79,80 - Cross-site scripting
What?
Description of changes:
autoescape=Trueto resolve the XSS issue while rendering Jinja2 templates.By submitting this pull request, I confirm that you can use, modify, copy, and
redistribute this contribution, under the terms of your choice.