Python : Add query to detect Server Side Template Injection

2026-05-02 20:25:13 +02:00 · 2020-05-04 01:56:37 +05:30
parent 2e5af67626
commit 49df4169cf
64 changed files with 918 additions and 0 deletions
--- a/python/ql/test/query-tests/Security/lib/airspeed.py
+++ b/python/ql/test/query-tests/Security/lib/airspeed.py
@@ -0,0 +1,3 @@
+class Template:
+    def __init__(self, content, filename="<string>"):
+        pass
--- a/python/ql/test/query-tests/Security/lib/cheetah/Template/init.py
+++ b/python/ql/test/query-tests/Security/lib/cheetah/Template/init.py
@@ -0,0 +1,2 @@
+class Template(object):
+    pass
--- a/python/ql/test/query-tests/Security/lib/chevron.py
+++ b/python/ql/test/query-tests/Security/lib/chevron.py
@@ -0,0 +1,6 @@
+
+
+def render(template='', data={}, partials_path='.', partials_ext='mustache',
+    partials_dict={}, padding='', def_ldel='{{', def_rdel='}}',
+    scopes=None):
+    pass
--- a/python/ql/test/query-tests/Security/lib/flask/init.py
+++ b/python/ql/test/query-tests/Security/lib/flask/init.py
@@ -28,3 +28,6 @@ def make_response(rv):

 def escape(txt):
    return Markup.escape(txt)
+
+def render_template_string(source, **context):
+    pass
--- a/python/ql/test/query-tests/Security/lib/jinja2.py
+++ b/python/ql/test/query-tests/Security/lib/jinja2.py
@@ -18,3 +18,6 @@ class FileSystemLoader(object):

    def __init__(self, searchpath):
        pass
+
+def from_string(source, globals=None, template_class=None):
+    pass