2020-06-30 12:50:28 +02:00
|
|
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
from flask import request, render_template_string
|
|
|
|
|
|
|
|
|
|
# /hello?username={{config}} will display the entire flask configuration and potential secrets
|
|
|
|
|
@app.route('/hello')
|
|
|
|
|
def hello():
|
|
|
|
|
username = request.args.get('username')
|
|
|
|
|
template = f"<p>Hello {username}</p>" # User input is used directly in the string to be rendered
|
|
|
|
|
return render_template_string(template) # Noncompliant
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
from flask import request, render_template_string
|
|
|
|
|
|
|
|
|
|
@app.route('/hello')
|
|
|
|
|
def hello():
|
|
|
|
|
username = request.args.get('username')
|
|
|
|
|
template = "<p>Hello {{ name }}</p>"
|
|
|
|
|
return render_template_string(template, name=username) # Compliant
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== See
|
|
|
|
|
|
2020-06-30 14:49:38 +02:00
|
|
|
* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection
|
|
|
|
|
* https://cwe.mitre.org/data/definitions/94.html[MITRE, CWE-94] - Improper Control of Generation of Code
|
|
|
|
|
* https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee[SSTI in Flask/Jinja2]
|
