Bento version 0.9 includes a check that caught a high-severity Python vulnerability and also introduces a suite of checks for Jinja, Flask’s HTML template engine. Plus, a new GitHub Action is in development and we’re looking for early users.
Get the latest Bento with:
$ pip3 install --upgrade bento-cli
🙈 CVE-2020-8492: High-Severity Python Vulnerability
Our team member mschwager found CVE-2020-8492: regex denial of service (ReDoS) through catastrophic backtracking in the Python standard library. This type of bug infamously caused a large Cloudflare outage in July, 2019, their first global outage in six years. Now the ReDoS check is available for you to run on your codebase using Bento 0.9!
# Run Dlint tool and its ReDoS check once:
$ bento check --tool=dlint --all
# Enable Dlint and its ReDoS check to run on every commit:
$ bento enable tool dlint
Here’s a visualization of catastrophic backtracking:
Read more about the vulnerability and the new check.
🦺 Safe Jinja Templates
In 0.9 we added checks for Jinja, Flask’s HTML template engine. The checks focus on cross site scripting weaknesses: Cross site scripting (XSS) is the concept of injecting arbitrary HTML (and with it JavaScript) into the context of a website. To remedy this, developers have to properly escape text so that it cannot include arbitrary HTML tags. - Flask Pallets Documentation
Our favorite of these checks is an easy mistake described as “the most underestimated vulnerability ever”: missing noreferrer and noopener attributes.
For existing projects (Jinja checks will be default enabled for new ones) run:
# Run Jinja checks once:
$ bento check --tool=r2c.jinja --all
# Run Jinja checks on every commit:
$ bento enable tool r2c.jinja
🤖 Get in on the Bento GitHub Action
Bento is coming to the GitHub Actions marketplace in the next release. We’ve been using the Action ourselves and would love to get your feedback on it, too. Ready to give it a try? Email us if you’d like to try it before we ship it broadly.
As always, please don’t hesitate to reach out to us for support or discussion via support@r2c.dev or on Slack.
Happy coding from the Bento Team!