Bento 0.9: Checks for a high-severity Python vulnerability and Jinja templates

Catch a high-severity Python vuln and new checks for Jinja templates

Pablo Estrada
February 19th, 2020
Share

Bento version 0.9 includes a check that caught a high-severity Python vulnerability and also introduces a suite of checks for Jinja, Flask’s HTML template engine. Plus, a new GitHub Action is in development and we’re looking for early users.

Get the latest Bento with:

$ pip3 install --upgrade bento-cli

🙈 CVE-2020-8492: High-Severity Python Vulnerability

Our team member mschwager found CVE-2020-8492: regex denial of service (ReDoS) through catastrophic backtracking in the Python standard library. This type of bug infamously caused a large Cloudflare outage in July, 2019, their first global outage in six years. Now the ReDoS check is available for you to run on your codebase using Bento 0.9!

# Run Dlint tool and its ReDoS check once:
$ bento check --tool=dlint --all
# Enable Dlint and its ReDoS check to run on every commit:
$ bento enable tool dlint

Here’s a visualization of catastrophic backtracking:

Regular expression catastrophic backtracking

Read more about the vulnerability and the new check.

🦺 Safe Jinja Templates

In 0.9 we added checks for Jinja, Flask’s HTML template engine. The checks focus on cross site scripting weaknesses: Cross site scripting (XSS) is the concept of injecting arbitrary HTML (and with it JavaScript) into the context of a website. To remedy this, developers have to properly escape text so that it cannot include arbitrary HTML tags. - Flask Pallets Documentation

Our favorite of these checks is an easy mistake described as “the most underestimated vulnerability ever”: missing noreferrer and noopener attributes.

For existing projects (Jinja checks will be default enabled for new ones) run:

# Run Jinja checks once:
$ bento check --tool=r2c.jinja --all
# Run Jinja checks on every commit:
$ bento enable tool r2c.jinja

🤖 Get in on the Bento GitHub Action

Bento is coming to the GitHub Actions marketplace in the next release. We’ve been using the Action ourselves and would love to get your feedback on it, too. Ready to give it a try? Email us if you’d like to try it before we ship it broadly.

As always, please don’t hesitate to reach out to us for support or discussion via support@r2c.dev or on Slack.

Happy coding from the Bento Team!

About

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.