2023-08-08 15:40:08 +02:00
|
|
|
|
2023-05-03 11:06:20 +02:00
|
|
|
== Why is this an issue?
|
|
|
|
|
|
2024-04-18 15:26:08 +02:00
|
|
|
include::../rationale.adoc[]
|
2021-04-28 18:08:03 +02:00
|
|
|
|
2024-04-18 15:26:08 +02:00
|
|
|
include::../impact.adoc[]
|
2021-04-28 18:08:03 +02:00
|
|
|
|
2023-08-08 15:40:08 +02:00
|
|
|
== How to fix it
|
2021-04-28 18:08:03 +02:00
|
|
|
|
2023-08-08 15:40:08 +02:00
|
|
|
=== Code examples
|
2020-06-30 12:50:28 +02:00
|
|
|
|
2023-08-08 15:40:08 +02:00
|
|
|
==== Noncompliant code example
|
2020-06-30 12:50:28 +02:00
|
|
|
|
2023-08-08 15:40:08 +02:00
|
|
|
The following code is vulnerable to server-side template injection because it
|
|
|
|
|
is inserting untrusted inputs into a string that is then processed for
|
|
|
|
|
rendering. +
|
|
|
|
|
This vulnerability arises because the rendering function does not validate the
|
|
|
|
|
input, allowing attackers to potentially inject malicious Python code for
|
|
|
|
|
execution.
|
|
|
|
|
|
|
|
|
|
[source,python,diff-id=1,diff-type=noncompliant]
|
2020-06-30 12:50:28 +02:00
|
|
|
----
|
|
|
|
|
from flask import request, render_template_string
|
|
|
|
|
|
2023-08-08 15:40:08 +02:00
|
|
|
@app.route('/example')
|
|
|
|
|
def example():
|
2020-06-30 12:50:28 +02:00
|
|
|
username = request.args.get('username')
|
2023-08-08 15:40:08 +02:00
|
|
|
template = f"<p>Hello {username}</p>"
|
2020-06-30 12:50:28 +02:00
|
|
|
return render_template_string(template) # Noncompliant
|
|
|
|
|
----
|
|
|
|
|
|
2023-08-08 15:40:08 +02:00
|
|
|
==== Compliant solution
|
2021-04-28 18:08:03 +02:00
|
|
|
|
2023-08-08 15:40:08 +02:00
|
|
|
[source,python,diff-id=1,diff-type=compliant]
|
2020-06-30 12:50:28 +02:00
|
|
|
----
|
|
|
|
|
from flask import request, render_template_string
|
|
|
|
|
|
2023-08-08 15:40:08 +02:00
|
|
|
@app.route('/example')
|
|
|
|
|
def example():
|
2020-06-30 12:50:28 +02:00
|
|
|
username = request.args.get('username')
|
2023-08-08 15:40:08 +02:00
|
|
|
template = "<p>Hello {{ username }}</p>"
|
|
|
|
|
return render_template_string(template, username=username)
|
2020-06-30 12:50:28 +02:00
|
|
|
----
|
|
|
|
|
|
2023-08-08 15:40:08 +02:00
|
|
|
=== How does this work?
|
|
|
|
|
|
|
|
|
|
==== Use template variables
|
|
|
|
|
|
|
|
|
|
The universal method to prevent path injection is to sanitize untrusted data.
|
|
|
|
|
Manual sanitization is error-prone, so it is best to automate the process.
|
|
|
|
|
|
|
|
|
|
Here, `render_template_string` automatically sanitizes template variables by
|
|
|
|
|
escaping them. This means that any untrusted data will not be able to break out
|
|
|
|
|
of the initially intended template logic.
|
2021-04-28 18:08:03 +02:00
|
|
|
|
2023-05-03 11:06:20 +02:00
|
|
|
== Resources
|
2020-06-30 12:50:28 +02:00
|
|
|
|
2023-08-08 15:40:08 +02:00
|
|
|
=== Articles & blog posts
|
|
|
|
|
|
|
|
|
|
* https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee[SSTI in Flask/Jinja2]
|
|
|
|
|
|
2024-04-18 15:26:08 +02:00
|
|
|
include::../standards.adoc[]
|
2021-04-28 18:08:03 +02:00
|
|
|
|
2024-05-06 07:56:31 +01:00
|
|
|
|
2021-09-20 15:38:42 +02:00
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
=== Message
|
|
|
|
|
|
2024-04-18 15:26:08 +02:00
|
|
|
include::../message.adoc[]
|
2023-05-25 14:18:12 +02:00
|
|
|
|
2023-08-08 15:40:08 +02:00
|
|
|
=== Highlighting
|
|
|
|
|
|
|
|
|
|
"[varname]" is tainted (assignments and parameters)
|
2021-09-20 15:38:42 +02:00
|
|
|
|
2023-08-08 15:40:08 +02:00
|
|
|
this argument is tainted (method invocations)
|
|
|
|
|
|
|
|
|
|
the returned value is tainted (returns & method invocations results)
|
|
|
|
|
|
|
|
|
|
'''
|
2021-09-20 15:38:42 +02:00
|
|
|
endif::env-github,rspecator-view[]
|
