Rule Information
Tags
pythonpyramidxssresponsetaint-analysisCWE-79OWASP-A03
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-PYRAMID-SEC-002 --project .1
2
3
4
5
6
7
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
About This Rule
Understanding the vulnerability and how it is detected
This rule traces user input from Pyramid request parameters (request.params, request.GET, request.POST, request.matchdict, request.json_body) directly into Pyramid Response() constructors. When user input is placed into an HTML response body without escaping, it creates a reflected XSS vulnerability.
Unlike Pyramid's template rendering (Chameleon, Jinja2, Mako) which auto-escapes by default, constructing a Response() directly with string concatenation bypasses all template-level escaping. An attacker can inject script tags through request parameters that execute in the victim's browser.
The rule uses taint analysis with scope="local" to track data flow within individual view functions. It recognizes escape() and markupsafe.escape() as sanitizers.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Reflected Cross-Site Scripting
An attacker crafts a URL with malicious JavaScript in a query parameter. When the user clicks the link, the Pyramid view constructs a Response with the unsanitized parameter value, and the script executes in the user's browser with full access to their session cookies and DOM.
2
Session Hijacking
Injected JavaScript can read document.cookie and send it to an attacker-controlled server. The attacker then uses the stolen session cookie to impersonate the user.
3
Credential Theft
XSS can overlay a fake login form on the page. The user sees what looks like a legitimate login prompt, enters their credentials, and the attacker captures them.
How to Fix
Recommended remediation steps
- 1Use Pyramid's template renderers (Chameleon, Jinja2, Mako) instead of constructing Response() with string concatenation
- 2If you must build HTML in view code, escape all user input with markupsafe.escape() before including it
- 3Set Content-Type to application/json for API responses to prevent browsers from rendering HTML
- 4Implement Content-Security-Policy headers to limit the damage of any XSS that slips through
- 5Use the @view_config(renderer='templates/search.pt') pattern to separate view logic from HTML rendering
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule traces data from Pyramid request sources (request.params.get, request.GET.get, request.POST.get, request.matchdict.get, request.json_body.get) to Response constructors (Response(), pyramid.response.Response()). Sanitizers include escape() and markupsafe.escape(). Uses scope="local" for intra-procedural analysis.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
OWASP Top 10
A03:2021 - Injection
CWE Top 25
CWE-79 ranked #2 in 2023 Most Dangerous Software Weaknesses
PCI DSS v4.0
Requirement 6.2.4 - prevent cross-site scripting attacks
NIST SP 800-53
SI-10: Information Input Validation
References
External resources and documentation
Similar Rules
Explore related security rules for Python
HIGH
Django XSS via Direct HttpResponse with User Input
User input flows directly to HttpResponse without HTML escaping, enabling Cross-Site Scripting (XSS) attacks.
HIGH
Pyramid CSRF Check Disabled Globally
Detects calls to set_default_csrf_options() which can globally disable CSRF protection in Pyramid applications.
Frequently Asked Questions
Common questions about Pyramid Direct Response XSS
Yes. Chameleon (the default Pyramid template engine) and Jinja2 both
auto-escape HTML by default. This rule only fires when you bypass templates
and construct Response() objects directly with user input.
It helps but is not sufficient. Some older browsers may still render HTML
in text/plain responses. The correct fix is to escape user input with
markupsafe.escape() or use template rendering with auto-escaping enabled.
No. This rule detects reflected XSS where user input flows directly from
request parameters to the response within a single view function. Stored
XSS requires tracking data through database writes and reads, which needs
scope="global" analysis.
Pyramid view functions typically receive request data and return a response
within the same function. scope="local" covers this common pattern efficiently.
Run: pathfinder ci --ruleset python/pyramid --project .
New feature
Get these findings posted directly on your GitHub pull requests
The Pyramid Direct Response XSS rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.