search

awslabs / aws-deployment-framework

The AWS Deployment Framework (ADF) is an extensive and flexible framework to manage and deploy resources across multiple AWS accounts and regions based on AWS Organizations.
Apache License 2.0
668 stars 226 forks source link

Fix Jinja2 template rendering with autoescape enabled #690

Closed sujay0412 closed 7 months ago

sujay0412 commented 9 months ago

Why?

We are using aws-deployment-framework for deployments. In our AWS accounts we are solving an Security Hub findings. One of the finding found is referenced as CWE-20,79,80 - Cross-site scripting(XSS) with high security labelled.

The issue is in the Jinja2 library, as used by initial_commit.py files. There was no autoescape=True. I added the autoescape=True attribute to resolve this. With these changes, the finding related with XSS is resolved in our AWS account. Please consider this in next release.

Security-hub finding issue -CWE-20,79,80 - Cross-site scripting

User-controllable input must be sanitized before it's included in output used to dynamically generate a web page. Unsanitized user input can introduce cross-side scripting (XSS) vulnerabilities that can lead to inadvertedly running malicious code in a trusted context.

What?

Description of changes:

  1. Add autoescape=True to resolve the XSS issue while rendering Jinja2 templates.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

sujay0412 commented 8 months ago

please review

sujay0412 commented 7 months ago

Hi @sbkok based on your comment i updated a file which you mentioned please review , Thanks