python.flask.security.audit.render-template-string.render-template-string

Community Favorite

returntocorp

Author

80,463

Download Count*

License

Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: render-template-string
    pattern: flask.render_template_string(...)
    metadata:
      cwe:
        - "CWE-96: Improper Neutralization of Directives in Statically Saved
          Code ('Static Code Injection')"
      owasp:
        - A03:2021 - Injection
      references:
        - https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html
      category: security
      technology:
        - flask
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: Found a template created with string formatting. This is susceptible to
      server-side template injection and cross-site scripting attacks.
    languages:
      - python
    severity: WARNING

Examples

render-template-string.py

import flask

app = flask.Flask(__name__)

@app.route("/error")
def error(e):
    template = '''{  extends "layout.html"  }
{  block body  }
    <div class="center-content error">
        <h1>Oops! That page doesn't exist.</h1>
        <h3>%s</h3>
    </div>
{  endblock  }
'''.format(request.url)
    # ruleid: render-template-string
    return flask.render_template_string(template), 404

@app.route("/index")
def index():
    # ok: render-template-string
    return flask.render_template("index.html"), 200

Short Link: https://sg.run/8yjE