ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5496/python/rule.adoc
Alban Auzeill 2c306d110e Fix code block ambiguity with old header style 
Ensure blank line before list and clean the one leading space
2020-06-30 17:16:12 +02:00

33 lines
1.0 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
== Noncompliant Code Example
----
from flask import request, render_template_string
# /hello?username={{config}} will display the entire flask configuration and potential secrets
@app.route('/hello')
def hello():
username = request.args.get('username')
template = f"<p>Hello {username}</p>" # User input is used directly in the string to be rendered
return render_template_string(template) # Noncompliant
----
== Compliant Solution
----
from flask import request, render_template_string
@app.route('/hello')
def hello():
username = request.args.get('username')
template = "<p>Hello {{ name }}</p>"
return render_template_string(template, name=username) # Compliant
----
== See
* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection
* https://cwe.mitre.org/data/definitions/94.html[MITRE, CWE-94] - Improper Control of Generation of Code
* https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee[SSTI in Flask/Jinja2]
Reference in New Issue View Git Blame Copy Permalink