rspec/rules/S5496/python/rule.adoc

User-provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Constructing HTML content directly from tainted data enables attacker(s) to inject special crafted values to abuse template engine's rendering process. Successful server side template injection (SSTI) attack can lead to arbitrary file read or operating system commands execution.


Template engine are used by web server to render rich HTML content, generally web pages or emails. Template injection usually happens when the template content has been dynamically generated from unvalidated user inputs.


This problem can be avoided by:

* Using static template that are read from files rather than building templates dynamically
* Using template variables to inject dynamic values at render time
* Using template engine advanced control structure (like blocks or include) to dynamically build complex templates


== Noncompliant Code Example

[source,python]
----
from flask import request, render_template_string

# /hello?username={{config}} will display the entire flask configuration and potential secrets
@app.route('/hello')
def hello():
    username = request.args.get('username')
    template = f"<p>Hello {username}</p>" # User input is used directly in the string to be rendered
    return render_template_string(template) # Noncompliant
----


== Compliant Solution

[source,python]
----
from flask import request, render_template_string

@app.route('/hello')
def hello():
    username = request.args.get('username')
    template = "<p>Hello {{ name }}</p>"
    return render_template_string(template, name=username) # Compliant
----


== See

* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection
* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection
* https://cwe.mitre.org/data/definitions/94.html[MITRE, CWE-94] - Improper Control of Generation of Code
* https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee[SSTI in Flask/Jinja2]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

endif::env-github,rspecator-view[]
Modify Rules: Multiple typo on missing hyphens (#660) 2021-12-13 16:18:55 +01:00			`User-provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Constructing HTML content directly from tainted data enables attacker(s) to inject special crafted values to abuse template engine's rendering process. Successful server side template injection (SSTI) attack can lead to arbitrary file read or operating system commands execution.`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00

			`Template engine are used by web server to render rich HTML content, generally web pages or emails. Template injection usually happens when the template content has been dynamically generated from unvalidated user inputs.`


			`This problem can be avoided by:`

			`* Using static template that are read from files rather than building templates dynamically`
			`* Using template variables to inject dynamic values at render time`
			`* Using template engine advanced control structure (like blocks or include) to dynamically build complex templates`

Add rules 5000-5999 2020-06-30 12:50:28 +02:00
			`== Noncompliant Code Example`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,python]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`from flask import request, render_template_string`

			`# /hello?username={{config}} will display the entire flask configuration and potential secrets`
			`@app.route('/hello')`
			`def hello():`
			`username = request.args.get('username')`
			`template = f"<p>Hello {username}</p>" # User input is used directly in the string to be rendered`
			`return render_template_string(template) # Noncompliant`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,python]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`from flask import request, render_template_string`

			`@app.route('/hello')`
			`def hello():`
			`username = request.args.get('username')`
			`template = "<p>Hello {{ name }}</p>"`
			`return render_template_string(template, name=username) # Compliant`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`== See`

RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00			`* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection`
			`* https://cwe.mitre.org/data/definitions/94.html[MITRE, CWE-94] - Improper Control of Generation of Code`
			`* https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee[SSTI in Flask/Jinja2]`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::message.adoc[]`

			`endif::env-github,rspecator-view[]`