Closed opetryk closed 4 months ago
That report makes absolutely no sense, and the CVE linked is garbage and has been disputed, because it's about as bad as saying "if you pass sourcecode input from a user to a compiler and run it, that executes the code from the user".
If your security scanner does not ignore disputed CVEs, please report it as a bug to its developers.
In fact, there's already an issue about this in what looks like the upstream of your security scanner: https://github.com/pyupio/safety/issues/527
@ThiefMaster thank you for the information
With usage of pre-commit tool v4.3.0 and poetry version 1.8.2 (poetry run invoke security) following issue appeared:
Vulnerability ID: 70612 Affected spec: >=0 ADVISORY: In Jinja2, the from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing. CVE-2019-8341 For more information, please visit https://data.safetycli.com/v/70612/f17
Expected behavior: Security step should pass
Environment: