update raw-html-concat rule (#3418)

semgrep · Jul 2, 2024 · a4ee962 · a4ee962
1 parent bf733d3
commit a4ee962
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/python/flask/security/injection/raw-html-concat.py b/python/flask/security/injection/raw-html-concat.py
@@ -82,3 +82,11 @@ def load_model(model):
 def ok():
     # ok: raw-html-format
     return "<a href='https://example.com'>Click me!</a>"
+
+@app.route("/post_param_branch", methods=["POST"])
+def post_param_branch():
+    param = flask.request.form['param']
+    part = flask.render_template("link.html", data=param)
+    if True:
+        # ok:raw-html-format
+        return "<a href='%s'>Click me!</a>" % part
diff --git a/python/flask/security/injection/raw-html-concat.yaml b/python/flask/security/injection/raw-html-concat.yaml
@@ -34,7 +34,11 @@ rules:
   pattern-sanitizers:
   - pattern: jinja2.escape(...)
   - pattern: flask.escape(...)
-  - pattern: flask.render_template("~=/.*\.html", ...)
+  - patterns:
+    - pattern: flask.render_template($TPL, ...)
+    - metavariable-regex:
+        metavariable: $TPL
+        regex: .*\.html
   pattern-sources:
   - patterns:
     - pattern-either: