Add qhelp

python/ql/src/Security/CWE-074/TemplateInjection.qhelp

@@ -0,0 +1,30 @@
+<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>
+                A template from a server templating engine such as Jinja constructed from user input can allow the user to execute arbitrary code using certain template features. It can also allow for cross-site scripting.
+        </p>
+    </overview>
+    <recommendation>
+        <p>
+            Ensure that an untrusted value is not used to directly construct a template. 
+            Jinja also provides a <code>SandboxedEnvironment</code> that prohibits access to unsafe methods and attributes, that can be used if constructing a template from user input is absolutely necessary. 
+        </p>
+    </recommendation>
+    <example>
+        <p>In the following case <code>template<code> is used to generate a Jinja2 template string. This can lead to remote code execution. </p>
+        <sample src="examples/JinjaBad.py" />
+
+        <p>The following is an example of a string that could be used to cause remote code execution when interpreted as a template:</p>
+        <sample src="examples/template_exploit" />
+
+        <p>In the following case, user input is not used to construct the template; rather is only used for as the parameters to render the template, which is safe.</p>
+        <sample scr="examples/JinjaGoodParam" />
+        
+        <p>In the following case, a <code>SandboxedEnvironment</code> is used, preventing remote code execution.</p>
+        <sample src="examples/JinjaGoodSandbox.py" />
+    </example>
+    <references>
+        <li>Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)</li>
+    </references>
+</qhelp>

python/ql/src/Security/CWE-074/examples/JinjaBad.py

@@ -0,0 +1,19 @@
+from django.urls import path
+from django.http import HttpResponse
+from jinja2 import Template, escape
+
+
+def a(request):
+    template = request.GET['template']
+
+    # BAD: Template is constructed from user input. 
+    t = Template(template)
+
+    name = request.GET['name']
+    html = t.render(name=escape(name))
+    return HttpResponse(html)
+
+
+urlpatterns = [
+    path('a', a),
+]

python/ql/src/Security/CWE-074/examples/JinjaGoodParam.py

@@ -0,0 +1,17 @@
+from django.urls import path
+from django.http import HttpResponse
+from jinja2 import Template, escape
+
+
+def a(request):
+    # GOOD: Template is a constant, not constructed from user input
+    t = Template("Hello, {{name}}!")
+
+    name = request.GET['name']
+    html = t.render(name=escape(name))
+    return HttpResponse(html)
+
+
+urlpatterns = [
+    path('a', a),
+]

python/ql/src/Security/CWE-074/examples/JinjaGoodSandbox.py

@@ -0,0 +1,21 @@
+from django.urls import path
+from django.http import HttpResponse
+from jinja2 import escape
+from jinja2.sandbox import SandboxedEnvironment
+
+
+def a(request):
+    env = SandboxedEnvironment()
+    template = request.GET['template']
+
+    # GOOD: A sandboxed environment is used to construct the template. 
+    t = env.from_string(template)
+
+    name = request.GET['name']
+    html = t.render(name=escape(name))
+    return HttpResponse(html)
+
+
+urlpatterns = [
+    path('a', a),
+]

python/ql/src/Security/CWE-074/examples/template_exploit.txt

@@ -0,0 +1 @@
+{% for s in ().__class__.__base__.__subclasses__() %}{% if "warning" in s.__name__ %}{{s()._module.__builtins__['__import__']('os').system('cat /etc/passwd') }}{% endif %}{% endfor %}