Bento version 0.9 includes a check that caught a high-severity Python vulnerability and also introduces a suite of checks for Jinja, Flask’s HTML template engine. Plus, a new GitHub Action is in development and we’re looking for early users.
Get the latest Bento with:
$ pip3 install --upgrade bento-cli
Our team member mschwager found CVE-2020-8492: regex denial of service (ReDoS) through catastrophic backtracking in the Python standard library. This type of bug infamously caused a large Cloudflare outage in July, 2019, their first global outage in six years. Now the ReDoS check is available for you to run on your codebase using Bento 0.9!
# Run Dlint tool and its ReDoS check once: $ bento check --tool=dlint --all # Enable Dlint and its ReDoS check to run on every commit: $ bento enable tool dlint
Here’s a visualization of catastrophic backtracking:
Our favorite of these checks is an easy mistake described as “the most underestimated vulnerability ever”: missing noreferrer and noopener attributes.
For existing projects (Jinja checks will be default enabled for new ones) run:
# Run Jinja checks once: $ bento check --tool=r2c.jinja --all # Run Jinja checks on every commit: $ bento enable tool r2c.jinja
Bento is coming to the GitHub Actions marketplace in the next release. We’ve been using the Action ourselves and would love to get your feedback on it, too. Ready to give it a try? Email us if you’d like to try it before we ship it broadly.
As always, please don’t hesitate to reach out to us for support or discussion via firstname.lastname@example.org or on Slack.
Happy coding from the Bento Team!