diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index 63a8782b7..e96522a55 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -70,7 +70,9 @@ def is_assigned(self, node): if isinstance(target, ast.Name): if target.id == self.var_name.id: assigned = node.value - elif isinstance(target, ast.Tuple): + elif isinstance(target, ast.Tuple) and isinstance( + node.value, ast.Tuple + ): pos = 0 for name in target.elts: if name.id == self.var_name.id: diff --git a/examples/mark_safe_insecure.py b/examples/mark_safe_insecure.py index a122dc93d..b4e9f6bb8 100644 --- a/examples/mark_safe_insecure.py +++ b/examples/mark_safe_insecure.py @@ -157,3 +157,11 @@ def test_insecure_with_assign(str_arg=None): if not str_arg: str_arg = 'could be insecure' safestring.mark_safe(str_arg) + +def test_insecure_tuple_assign(): + HTML_CHOICES = ( + (_('Donate'), 'https://example.org/donate/'), + (_('More info'), 'https://example.org/'), + ) + text, url = choice(HTML_CHOICES) + safestring.mark_safe('{1}'.format(url, text)) diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index 4c115fa11..f30ca25f8 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -547,8 +547,8 @@ def test_django_xss_secure(self): def test_django_xss_insecure(self): """Test for Django XSS via django.utils.safestring""" expect = { - "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 28, "HIGH": 0}, - "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 28}, + "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 29, "HIGH": 0}, + "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 29}, } self.b_mgr.b_ts = b_test_set.BanditTestSet( config=self.b_mgr.b_conf, profile={"exclude": ["B308"]}