hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-03 22:28:15 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
96a06bed8d96c86836dee2f740117c693e9ff3f5
codeql/python/ql/src/Security/CWE-074/TemplateInjection.qhelp
Joe Farebrother 8a778da253 Apply suggestions from docs review 
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
2024-12-09 19:58:00 +00:00

31 lines
1.7 KiB
XML
Raw Blame History

<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
<qhelp>
<overview>
<p>
A template from a server templating engine such as Jinja constructed from user input can allow the user to execute arbitrary code using certain template features. It can also allow for cross-site scripting.
</p>
</overview>
<recommendation>
<p>
Ensure that an untrusted value is not used to directly construct a template.
Jinja also provides <code>SandboxedEnvironment</code> that prohibits access to unsafe methods and attributes. This can be used if constructing a template from user input is absolutely necessary.
</p>
</recommendation>
<example>
<p>In the following case, <code>template</code> is used to generate a Jinja2 template string. This can lead to remote code execution. </p>
<sample src="examples/JinjaBad.py" />
<p>The following is an example of a string that could be used to cause remote code execution when interpreted as a template:</p>
<sample src="examples/template_exploit.txt" />
<p>In the following case, user input is not used to construct the template. Instead, it is only used as the parameters to render the template, which is safe.</p>
<sample src="examples/JinjaGoodParam.py" />
<p>In the following case, a <code>SandboxedEnvironment</code> is used, preventing remote code execution.</p>
<sample src="examples/JinjaGoodSandbox.py" />
</example>
<references>
<li>Portswigger: <a href="https://portswigger.net/web-security/server-side-template-injection">Server-Side Template Injection</a>.</li>
</references>
</qhelp>
Reference in New Issue View Git Blame Copy Permalink