1

Veracode is reporting a security issue on a piece of code which seems pretty innocuous to me. The code is built with python/Django and the line in question is:

return render(request, 'core/create-user.html', context)

The render shortcut for django is pretty standard and it expects a request object, name of template and context to be passed to template. I am not sure why Veracode is complaining for this.

It seems it is picking up the word "create-user" from the template name and assuming it be a OS/library method being called for creating a user based on some user input and which is why it is complaining but this sounds pretty dumb to me on behalf of Veracode.

Is it really a security issue, if so why? Or is it a false positive?

Divick
  • 121
  • 2
  • 1
    Looks like a fake positive to me. Can you ask VeraCode? At their prices they should help you! – paj28 Jan 06 '20 at 12:07
  • @paj28 Unfortunately I don't have the license of Veracode. My client seems to have run the veracode scan on the code base and is reporting the issue to me as a person developing the code base and hence is supposed to fix the security issue too. Throwing it back to the client would seem I have offloaded the work back to them and hence my question :) – Divick Jan 06 '20 at 12:33
  • I see. If they're a cooperative client, I would chuck it back at this point. If they're a tricky client this is quite a PITA situation as without changes your issue will still show on a rescan, and they may not accept your word that it's a false positive. – paj28 Jan 06 '20 at 20:23
  • 1
    have you posted this question to the Veracode Community: https://community.veracode.com/s/ – Susu Jan 06 '20 at 23:44

1 Answers1

1

I don't see anything wrong with this implementation. It is also completely according to documentation: https://docs.djangoproject.com/en/3.0/topics/http/shortcuts/

It seems like this Veracode result is a False Positive

Community
  • 1
yaloner
  • 250
  • 1
  • 6