optionpool.py: Make jinja autoescape rules explicittlater/fix-jinja-autoescape

Our security linter warns us that jinja should be set to escape HTML
output. Since we don't do HTML output, or any other markup that would
be vulnerable to XSS, we explicitly disable it on our strings, and let
jinja do as it pleases on files.

Should anyone use BuildStream as a library, they should likely escape
our output before displaying it in a browser, but that's a given since
they are operating on user-defined data.

1 files changed, 13 insertions, 1 deletions

diff --git a/src/buildstream/_options/optionpool.py b/src/buildstream/_options/optionpool.py
index f105bb12c..66b094a9c 100644
--- a/src/buildstream/_options/optionpool.py
+++ b/src/buildstream/_options/optionpool.py
@@ -312,6 +312,18 @@ class OptionPool:
         return False
 
     def _init_environment(self):
+        # Bandit (our code security linter) requires the function to
+        # be called select_autoescape, not jinja2.select_autoescape,
+        # so we can't use the function in its original scope.
+        from jinja2 import select_autoescape
+
         # jinja2 environment, with default globals cleared out of the way
-        self._environment = jinja2.Environment(undefined=jinja2.StrictUndefined)
+        #
+        # Note: We don't really care what autoescape is set up to
+        # escape, as long as it doesn't escape our strings - we don't
+        # use jinja to produce markup vulnerable to XSS, and we don't
+        # run it on files directly.
+        self._environment = jinja2.Environment(
+            undefined=jinja2.StrictUndefined, autoescape=select_autoescape(default_for_string=False, default=True)
+        )
         self._environment.globals = []