From 8349408cf85bbfab26454c0452af71b48515d135 Mon Sep 17 00:00:00 2001
From: nghazalibeiklar <nghazalibeiklar@atlassian.com>
Date: Thu, 23 Jun 2022 10:42:33 +1000
Subject: [PATCH] CLIP-1583: Audited url open for permitted schemes and set
 autoscape to True to mitigate XSS vulnerabilities.

---
 pipeline_generator/pipeline.py                |  1 +
 .../bitbucket_latest/tests/test_default.py    | 21 +++++++++++--------
 .../confluence_latest/tests/test_default.py   | 21 +++++++++++--------
 .../crowd_latest/tests/test_default.py        | 21 +++++++++++--------
 4 files changed, 37 insertions(+), 27 deletions(-)

diff --git a/pipeline_generator/pipeline.py b/pipeline_generator/pipeline.py
index c356a56..4a5c5c2 100644
--- a/pipeline_generator/pipeline.py
+++ b/pipeline_generator/pipeline.py
@@ -16,6 +16,7 @@ def find_all_scenarios():
 def load_template():
     jenv = j2.Environment(
         loader=j2.FileSystemLoader('.'),
+        autoescape=True,
         lstrip_blocks=True,
         trim_blocks=True)
     return jenv.get_template(PIPELINE_TEMPLATE_J2_FILE)
diff --git a/roles/product_install/molecule/bitbucket_latest/tests/test_default.py b/roles/product_install/molecule/bitbucket_latest/tests/test_default.py
index bb5b1d8..37b33f9 100644
--- a/roles/product_install/molecule/bitbucket_latest/tests/test_default.py
+++ b/roles/product_install/molecule/bitbucket_latest/tests/test_default.py
@@ -24,25 +24,28 @@ def test_version_file_is_latest(host):
     verfile = host.file('/media/atl/bitbucket/shared/bitbucket.version')
     assert verfile.exists
 
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/bitbucket/versions")
-    upstream_json = json.load(upstream_fd)
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/bitbucket/versions")
+    with urllib.request.urlopen(upstream_req) as upstream_response:
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     assert verfile.content.decode("UTF-8").strip() == upstream.strip()
 
 def test_latest_is_downloaded(host):
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/bitbucket/versions")
-    upstream_json = json.load(upstream_fd)
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/bitbucket/versions")
+    with urllib.request.urlopen(upstream_req) as upstream_response:
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     installer = host.file('/media/atl/downloads/bitbucket.' + upstream + '-x64.bin')
     assert installer.exists
     assert installer.user == 'root'
 
 def test_completed_lockfile(host):
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/bitbucket/versions")
-    upstream_json = json.load(upstream_fd)
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/bitbucket/versions")
+    with urllib.request.urlopen(upstream_req) as upstream_response:
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     lockfile = host.file('/media/atl/downloads/bitbucket.' + upstream + '-x64.bin_completed')
     assert lockfile.exists
diff --git a/roles/product_install/molecule/confluence_latest/tests/test_default.py b/roles/product_install/molecule/confluence_latest/tests/test_default.py
index 1b3ef88..6d59c2a 100644
--- a/roles/product_install/molecule/confluence_latest/tests/test_default.py
+++ b/roles/product_install/molecule/confluence_latest/tests/test_default.py
@@ -24,25 +24,28 @@ def test_version_file_is_latest(host):
     verfile = host.file('/media/atl/confluence/shared-home/confluence.version')
     assert verfile.exists
 
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/confluence/versions")
-    upstream_json = json.load(upstream_fd)
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/confluence/versions")
+    with urllib.request.urlopen(upstream_req) as upstream_response:
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     assert verfile.content.decode("UTF-8").strip() == upstream.strip()
 
 def test_latest_is_downloaded(host):
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/confluence/versions")
-    upstream_json = json.load(upstream_fd)
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/confluence/versions")
+    with urllib.request.urlopen(upstream_req) as upstream_response:
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     installer = host.file('/media/atl/downloads/confluence.'+upstream+'-x64.bin')
     assert installer.exists
     assert installer.user == 'root'
 
 def test_completed_lockfile(host):
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/confluence/versions")
-    upstream_json = json.load(upstream_fd)
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/confluence/versions")
+    with urllib.request.urlopen(upstream_req) as upstream_response:
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     lockfile = host.file('/media/atl/downloads/confluence.'+upstream+'-x64.bin_completed')
     assert lockfile.exists
diff --git a/roles/product_install/molecule/crowd_latest/tests/test_default.py b/roles/product_install/molecule/crowd_latest/tests/test_default.py
index 34ffcbc..36e7215 100644
--- a/roles/product_install/molecule/crowd_latest/tests/test_default.py
+++ b/roles/product_install/molecule/crowd_latest/tests/test_default.py
@@ -24,25 +24,28 @@ def test_version_file_is_latest(host):
     verfile = host.file('/media/atl/crowd/shared/crowd.version')
     assert verfile.exists
 
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/crowd/versions")
-    upstream_json = json.load(upstream_fd)
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/crowd/versions")
+    with urllib.request.urlopen(upstream_req) as upstream_response:
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     assert verfile.content.decode("UTF-8").strip() == upstream.strip()
 
 def test_latest_is_downloaded(host):
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/crowd/versions")
-    upstream_json = json.load(upstream_fd)
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/crowd/versions")
+    with urllib.request.urlopen(upstream_req) as upstream_response:
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     installer = host.file('/media/atl/downloads/crowd.' + upstream + '.tar.gz')
     assert installer.exists
     assert installer.user == 'root'
 
 def test_completed_lockfile(host):
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/crowd/versions")
-    upstream_json = json.load(upstream_fd)
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/crowd/versions")
+    with urllib.request.urlopen(upstream_req) as upstream_response:
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     lockfile = host.file('/media/atl/downloads/crowd.' + upstream + '.tar.gz_completed')
     assert lockfile.exists