ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5496/python/rule.adoc
Jamie Anderson 9ee16daa47
Modify rules: Add STIG AS&D 2023-06-08 mappings (#3914) 
* Update JSON schema to include STIG ASD 2023-06-08 mapping

* Update rules to add STIG metadata mappings

---------

Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com>
2024-05-06 08:56:31 +02:00

85 lines
2.0 KiB
Plaintext
Raw Permalink Blame History

== Why is this an issue?
include::../rationale.adoc[]
include::../impact.adoc[]
== How to fix it
=== Code examples
==== Noncompliant code example
The following code is vulnerable to server-side template injection because it
is inserting untrusted inputs into a string that is then processed for
rendering. +
This vulnerability arises because the rendering function does not validate the
input, allowing attackers to potentially inject malicious Python code for
execution.
[source,python,diff-id=1,diff-type=noncompliant]
----
from flask import request, render_template_string
@app.route('/example')
def example():
username = request.args.get('username')
template = f"<p>Hello {username}</p>"
return render_template_string(template) # Noncompliant
----
==== Compliant solution
[source,python,diff-id=1,diff-type=compliant]
----
from flask import request, render_template_string
@app.route('/example')
def example():
username = request.args.get('username')
template = "<p>Hello {{ username }}</p>"
return render_template_string(template, username=username)
----
=== How does this work?
==== Use template variables
The universal method to prevent path injection is to sanitize untrusted data.
Manual sanitization is error-prone, so it is best to automate the process.
Here, `render_template_string` automatically sanitizes template variables by
escaping them. This means that any untrusted data will not be able to break out
of the initially intended template logic.
== Resources
=== Articles & blog posts
* https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee[SSTI in Flask/Jinja2]
include::../standards.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
include::../message.adoc[]
=== Highlighting
"[varname]" is tainted (assignments and parameters)
this argument is tainted (method invocations)
the returned value is tainted (returns & method invocations results)
'''
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink