add qhelp and fix tests.

2025-12-20 18:56:32 +01:00 · 2020-07-23 20:04:32 +05:30
parent 8e85dc755a
commit 1e7921e575
4 changed files with 93 additions and 5 deletions
--- a/python/ql/src/experimental/CWE-074/JinjaBad.py
+++ b/python/ql/src/experimental/CWE-074/JinjaBad.py
@@ -0,0 +1,19 @@
+from django.urls import path
+from django.http import HttpResponse
+from jinja2 import Template as Jinja2_Template
+from jinja2 import Environment, DictLoader, escape
+
+
+def a(request):
+    # Load the template
+    template = request.GET['template']
+    t = Jinja2_Template(template)
+    name = request.GET['name']
+    # Render the template with the context data
+    html = t.render(name=escape(name))
+    return HttpResponse(html)
+
+
+urlpatterns = [
+    path('a', a),
+]
--- a/python/ql/src/experimental/CWE-074/JinjaGood.py
+++ b/python/ql/src/experimental/CWE-074/JinjaGood.py
@@ -0,0 +1,20 @@
+from django.urls import path
+from django.http import HttpResponse
+from jinja2 import Template as Jinja2_Template
+from jinja2 import Environment, DictLoader, escape
+
+
+def a(request):
+    # Load the template
+    template = request.GET['template']
+    env = SandboxedEnvironment(undefined=StrictUndefined)
+    t = env.from_string(template)
+    name = request.GET['name']
+    # Render the template with the context data
+    html = t.render(name=escape(name))
+    return HttpResponse(html)
+
+
+urlpatterns = [
+    path('a', a),
+]
--- a/python/ql/src/experimental/CWE-074/TemplateInjection.qhelp
+++ b/python/ql/src/experimental/CWE-074/TemplateInjection.qhelp
@@ -0,0 +1,22 @@
+<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>
+            Template Injection occurs when user input is embedded in a template in an unsafe manner.
+            When an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side is results in Server Side Template Injection.         
+        </p>
+    </overview>
+    <example>
+        <p>Consider the example given below, an untrusted HTTP parameter `template` is used to generate a Jinja2 template string. This can lead to remote code execution. </p>
+        <sample src="jinjaBad.py" />
+    </example>
+    <recommendation>
+        <p>
+            To fix this, ensure that an untrusted value is not used as a template. If the application requirements do not alow this, the Jinja sandbox environment can be used to evaluate untrusted code. In a sandbox, access to unsafe attributes and methods is prohibited. Hence,passing untrusted input to a sandboxed template is safe. Consider the example below, since it uses a `SandboxedEnvironment`, the code is not vulenrable to a Server Side Template Injection issue.
+            <sample src="jinjaGood.py" />
+        </p>
+    </recommendation>
+    <references>
+        <li>Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)</li>
+    </references>
+</qhelp>