Skip to content

Commit e283d28

Browse files
RasmusWLRasmusWL
authored
Python: Update TemplateInjection.qhelp
Moved things around so there is only a single `<example>` tag (and had to rewrite contents a bit).
1 parent 1e7921e commit e283d28

File tree

1 file changed

+8
-6
lines changed

1 file changed

+8
-6
lines changed

python/ql/src/experimental/CWE-074/TemplateInjection.qhelp

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,16 +6,18 @@
66
When an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side is results in Server Side Template Injection.
77
</p>
88
</overview>
9-
<example>
10-
<p>Consider the example given below, an untrusted HTTP parameter `template` is used to generate a Jinja2 template string. This can lead to remote code execution. </p>
11-
<sample src="jinjaBad.py" />
12-
</example>
139
<recommendation>
1410
<p>
15-
To fix this, ensure that an untrusted value is not used as a template. If the application requirements do not alow this, the Jinja sandbox environment can be used to evaluate untrusted code. In a sandbox, access to unsafe attributes and methods is prohibited. Hence,passing untrusted input to a sandboxed template is safe. Consider the example below, since it uses a `SandboxedEnvironment`, the code is not vulenrable to a Server Side Template Injection issue.
16-
<sample src="jinjaGood.py" />
11+
To fix this, ensure that an untrusted value is not used as a template. If the application requirements do not alow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited.
1712
</p>
1813
</recommendation>
14+
<example>
15+
<p>Consider the example given below, an untrusted HTTP parameter `template` is used to generate a Jinja2 template string. This can lead to remote code execution. </p>
16+
<sample src="jinjaBad.py" />
17+
18+
<p>Here we have fixed the problem by using the Jinja sandbox environment for evaluating untrusted code.</p>
19+
<sample src="jinjaGood.py" />
20+
</example>
1921
<references>
2022
<li>Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)</li>
2123
</references>

0 commit comments

Comments
 (0)