include::../description.adoc[]

== Noncompliant Code Example

----
from flask import request, render_template_string

# /hello?username={{config}} will display the entire flask configuration and potential secrets
@app.route('/hello')
def hello():
    username = request.args.get('username')
    template = f"<p>Hello {username}</p>" # User input is used directly in the string to be rendered
    return render_template_string(template) # Noncompliant
----

== Compliant Solution

----
from flask import request, render_template_string

@app.route('/hello')
def hello():
    username = request.args.get('username')
    template = "<p>Hello {{ name }}</p>"
    return render_template_string(template, name=username) # Compliant
----

== See

* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection
* https://cwe.mitre.org/data/definitions/94.html[MITRE, CWE-94] - Improper Control of Generation of Code
* https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee[SSTI in Flask/Jinja2]