CLIP-1583: Audited url open for permitted schemes and set autoscape to True to mitigate XSS vulnerabilities.

pipeline_generator/pipeline.py

@@ -16,6 +16,7 @@ def find_all_scenarios():
 def load_template():
     jenv = j2.Environment(
         loader=j2.FileSystemLoader('.'),
+        autoescape=True,
         lstrip_blocks=True,
         trim_blocks=True)
     return jenv.get_template(PIPELINE_TEMPLATE_J2_FILE)

roles/product_install/molecule/bitbucket_latest/tests/test_default.py

@@ -24,25 +24,28 @@ def test_version_file_is_latest(host):
     verfile = host.file('/media/atl/bitbucket/shared/bitbucket.version')
     assert verfile.exists
 
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/bitbucket/versions")
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/bitbucket/versions")
-    upstream_json = json.load(upstream_fd)
+    with urllib.request.urlopen(upstream_req) as upstream_response:
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     assert verfile.content.decode("UTF-8").strip() == upstream.strip()
 
 def test_latest_is_downloaded(host):
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/bitbucket/versions")
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/bitbucket/versions")
-    upstream_json = json.load(upstream_fd)
+    with urllib.request.urlopen(upstream_req) as upstream_response:
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     installer = host.file('/media/atl/downloads/bitbucket.' + upstream + '-x64.bin')
     assert installer.exists
     assert installer.user == 'root'
 
 def test_completed_lockfile(host):
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/bitbucket/versions")
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/bitbucket/versions")
-    upstream_json = json.load(upstream_fd)
+    with urllib.request.urlopen(upstream_req) as upstream_response:
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     lockfile = host.file('/media/atl/downloads/bitbucket.' + upstream + '-x64.bin_completed')
     assert lockfile.exists

roles/product_install/molecule/confluence_latest/tests/test_default.py

@@ -24,25 +24,28 @@ def test_version_file_is_latest(host):
     verfile = host.file('/media/atl/confluence/shared-home/confluence.version')
     assert verfile.exists
 
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/confluence/versions")
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/confluence/versions")
-    upstream_json = json.load(upstream_fd)
+    with urllib.request.urlopen(upstream_req) as upstream_response:
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     assert verfile.content.decode("UTF-8").strip() == upstream.strip()
 
 def test_latest_is_downloaded(host):
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/confluence/versions")
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/confluence/versions")
-    upstream_json = json.load(upstream_fd)
+    with urllib.request.urlopen(upstream_req) as upstream_response:
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     installer = host.file('/media/atl/downloads/confluence.'+upstream+'-x64.bin')
     assert installer.exists
     assert installer.user == 'root'
 
 def test_completed_lockfile(host):
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/confluence/versions")
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/confluence/versions")
-    upstream_json = json.load(upstream_fd)
+    with urllib.request.urlopen(upstream_req) as upstream_response:
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     lockfile = host.file('/media/atl/downloads/confluence.'+upstream+'-x64.bin_completed')
     assert lockfile.exists

roles/product_install/molecule/crowd_latest/tests/test_default.py

@@ -24,25 +24,28 @@ def test_version_file_is_latest(host):
     verfile = host.file('/media/atl/crowd/shared/crowd.version')
     assert verfile.exists
 
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/crowd/versions")
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/crowd/versions")
-    upstream_json = json.load(upstream_fd)
+    with urllib.request.urlopen(upstream_req) as upstream_response:
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     assert verfile.content.decode("UTF-8").strip() == upstream.strip()
 
 def test_latest_is_downloaded(host):
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/crowd/versions")
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/crowd/versions")
-    upstream_json = json.load(upstream_fd)
+    with urllib.request.urlopen(upstream_req) as upstream_response:
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     installer = host.file('/media/atl/downloads/crowd.' + upstream + '.tar.gz')
     assert installer.exists
     assert installer.user == 'root'
 
 def test_completed_lockfile(host):
-    upstream_fd = urllib.request.urlopen("https://marketplace.atlassian.com/rest/2/products/key/crowd/versions")
+    upstream_req = urllib.request.Request("https://marketplace.atlassian.com/rest/2/products/key/crowd/versions")
-    upstream_json = json.load(upstream_fd)
+    with urllib.request.urlopen(upstream_req) as upstream_response:
-    upstream = upstream_json['_embedded']['versions'][0]['name']
+        upstream_json = json.load(upstream_response)
+        upstream = upstream_json['_embedded']['versions'][0]['name']
 
     lockfile = host.file('/media/atl/downloads/crowd.' + upstream + '.tar.gz_completed')
     assert lockfile.exists