Fix issue #453 jinja2 template select_autoescape when using jinja2.se…

…lect_autoescape (#454) * Add unit test showing the issue * Allow select_autoescape to be an attribute (i.e. jinja2.select_autoescape) * Update bandit/plugins/jinja2_templates.py * Update jinja2_templates.py Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
PyCQA · Jul 11, 2022 · f762f2e · f762f2e
1 parent 1067978
commit f762f2e
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/bandit/plugins/jinja2_templates.py b/bandit/plugins/jinja2_templates.py
@@ -104,9 +104,10 @@ def jinja2_autoescape_false(context):
                         ):
                             return
                         # Check if select_autoescape function is used.
-                        elif (
-                            isinstance(value, ast.Call)
-                            and getattr(value.func, "id", None)
+                        elif isinstance(value, ast.Call) and (
+                            getattr(value.func, "attr", None)
+                            == "select_autoescape"
+                            or getattr(value.func, "id", None)
                             == "select_autoescape"
                         ):
                             return

diff --git a/examples/jinja2_templating.py b/examples/jinja2_templating.py
@@ -20,6 +20,9 @@
 Environment(loader=templateLoader,
             autoescape=select_autoescape(['html', 'htm', 'xml']))
 
+Environment(loader=templateLoader,
+            autoescape=jinja2.select_autoescape(['html', 'htm', 'xml']))
+
 
 def fake_func():
     return 'foobar'