From 398d24de68c79f77f0cfc0148f8d914bc09908b9 Mon Sep 17 00:00:00 2001
From: Zhen Qin <zhenqin@cisco.com>
Date: Fri, 30 Jun 2017 15:29:10 -0400
Subject: [PATCH] Avoid false positives of Jinja2 in Bandit scan

When Bandit scans nova/console/xvp.py and nova/virt/netutils.py, the
high severity issue ("B701:jinja2_autoescape_false") are triggered. By
adding #nosec to above code, this alarm will be surpressed.

"When autoescaping is enabled, Jinja2 will filter input strings to
escape any HTML content submitted via template variables. Without
escaping HTML input the application becomes vulnerable to Cross Site
Scripting (XSS) attacks."[1] However, the "injected_network_template" is
a template with text format and different rules, and is not intended to
be executable. Hence, the security concern is not applicable here.

[1] https://docs.openstack.org/developer/bandit/plugins/jinja2_autoescape_false.html

Closes-Bug: #1701712
Change-Id: Ie819d90492af1e5c3b3d64403495d7355dc2cd91
---
 nova/console/xvp.py   | 3 ++-
 nova/virt/netutils.py | 5 +++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/nova/console/xvp.py b/nova/console/xvp.py
index 3bbbd81107b5..79764b95fcaa 100644
--- a/nova/console/xvp.py
+++ b/nova/console/xvp.py
@@ -87,7 +87,8 @@ class XVPConsoleProxy(object):
         conf_data = {'multiplex_port': CONF.xvp.console_xvp_multiplex_port,
                      'pools': pools}
         tmpl_path, tmpl_file = os.path.split(CONF.injected_network_template)
-        env = jinja2.Environment(loader=jinja2.FileSystemLoader(tmpl_path))
+        env = jinja2.Environment(  # nosec
+            loader=jinja2.FileSystemLoader(tmpl_path))  # nosec
         env.filters['pass_encode'] = self.fix_console_password
         template = env.get_template(tmpl_file)
         self._write_conf(template.render(conf_data))
diff --git a/nova/virt/netutils.py b/nova/virt/netutils.py
index 61710337f8df..14c24664c941 100644
--- a/nova/virt/netutils.py
+++ b/nova/virt/netutils.py
@@ -155,8 +155,9 @@ def get_injected_network_template(network_info, template=None,
         return
 
     tmpl_path, tmpl_file = os.path.split(template)
-    env = jinja2.Environment(loader=jinja2.FileSystemLoader(tmpl_path),
-                             trim_blocks=True)
+    env = jinja2.Environment(  # nosec
+        loader=jinja2.FileSystemLoader(tmpl_path),  # nosec
+        trim_blocks=True)
     template = env.get_template(tmpl_file)
     return template.render({'interfaces': nets,
                             'use_ipv6': ipv6_is_available,