hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Reveiw suggestions: Spelling/grammar fixes

Browse Source 
Co-authored-by: Taus <tausbn@github.com>
This commit is contained in:
Joe Farebrother
2024-11-29 09:49:31 +00:00
parent 0f0c1e1609
commit 6e16ed52e8
3 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
python/ql/src/Security/CWE-074/TemplateInjection.qhelp
View File

@@ -18,7 +18,7 @@
<p>The following is an example of a string that could be used to cause remote code execution when interpreted as a template:</p>
<sample src="examples/template_exploit.txt" />
<p>In the following case, user input is not used to construct the template; rather is only used for as the parameters to render the template, which is safe.</p>
<p>In the following case, user input is not used to construct the template; rather it is only used as the parameters to render the template, which is safe.</p>
<sample src="examples/JinjaGoodParam.py" />
<p>In the following case, a <code>SandboxedEnvironment</code> is used, preventing remote code execution.</p>

2
python/ql/src/Security/CWE-074/TemplateInjection.ql
View File

@@ -16,5 +16,5 @@ import TemplateInjectionFlow::PathGraph
from TemplateInjectionFlow::PathNode source, TemplateInjectionFlow::PathNode sink
where TemplateInjectionFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "This Template construction depends on $@.", source.getNode(),
select sink.getNode(), source, sink, "This template construction depends on a $@.", source.getNode(),
"user-provided value"

2
python/ql/src/change-notes/2024-11-21-template-injection.md
View File

@@ -1,4 +1,4 @@
---
category: newQuery
---
* The Server Side Template Injection query (`py/template-injection`), originally contributed to the experimental query pack by @porcupineyhairs, has been promoted to the ain query suite. This query finds instances of templates for a template engine such as Jinja being constructed with user input.
* The Server Side Template Injection query (`py/template-injection`), originally contributed to the experimental query pack by @porcupineyhairs, has been promoted to the main query suite. This query finds instances of templates for a template engine such as Jinja being constructed with user input.