python.flask.security.audit.render-template-string.render-template-string
Community Favorite
semgrepAuthor
80,463
Download Count*
License
Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.
Run Locally
Run in CI
Defintion
rules:
- id: render-template-string
pattern: flask.render_template_string(...)
metadata:
cwe:
- "CWE-96: Improper Neutralization of Directives in Statically Saved
Code ('Static Code Injection')"
owasp:
- A03:2021 - Injection
references:
- https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html
category: security
technology:
- flask
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
message: Found a template created with string formatting. This is susceptible to
server-side template injection and cross-site scripting attacks.
languages:
- python
severity: WARNING
Examples
render-template-string.py
import flask
app = flask.Flask(__name__)
@app.route("/error")
def error(e):
template = '''{ extends "layout.html" }
{ block body }
<div class="center-content error">
<h1>Oops! That page doesn't exist.</h1>
<h3>%s</h3>
</div>
{ endblock }
'''.format(request.url)
# ruleid: render-template-string
return flask.render_template_string(template), 404
@app.route("/index")
def index():
# ok: render-template-string
return flask.render_template("index.html"), 200
Short Link: https://sg.run/8yjE