Python: Promote Template Injection query from experimental #17922
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
joefarebrother
force-pushed
the
python-promote-template-injection
branch
from
b487f4c to
2d04af8
Compare
joefarebrother
force-pushed
the
python-promote-template-injection
branch
3 times, most recently
from
9377747 to
66e173c
Compare
|
QHelp previews: python/ql/src/Security/CWE-074/TemplateInjection.qhelpServer Side Template InjectionA template from a server templating engine such as Jinja constructed from user input can allow the user to execute arbitrary code using certain template features. It can also allow for cross-site scripting. RecommendationEnsure that an untrusted value is not used to directly construct a template. Jinja also provides ExampleIn the following case, from django.urls import path
from django.http import HttpResponse
from jinja2 import Template, escape
def a(request):
template = request.GET['template']
# BAD: Template is constructed from user input.
t = Template(template)
name = request.GET['name']
html = t.render(name=escape(name))
return HttpResponse(html)
urlpatterns = [
path('a', a),
]The following is an example of a string that could be used to cause remote code execution when interpreted as a template: {% for s in ().__class__.__base__.__subclasses__() %}{% if "warning" in s.__name__ %}{{s()._module.__builtins__['__import__']('os').system('cat /etc/passwd') }}{% endif %}{% endfor %}
In the following case, user input is not used to construct the template. Instead, it is only used as the parameters to render the template, which is safe. from django.urls import path
from django.http import HttpResponse
from jinja2 import Template, escape
def a(request):
# GOOD: Template is a constant, not constructed from user input
t = Template("Hello, {{name}}!")
name = request.GET['name']
html = t.render(name=escape(name))
return HttpResponse(html)
urlpatterns = [
path('a', a),
]In the following case, a from django.urls import path
from django.http import HttpResponse
from jinja2 import escape
from jinja2.sandbox import SandboxedEnvironment
def a(request):
env = SandboxedEnvironment()
template = request.GET['template']
# GOOD: A sandboxed environment is used to construct the template.
t = env.from_string(template)
name = request.GET['name']
html = t.render(name=escape(name))
return HttpResponse(html)
urlpatterns = [
path('a', a),
]References
|
joefarebrother
force-pushed
the
python-promote-template-injection
branch
from
f6ef223 to
190afe6
Compare
| /** Gets a reference to an instance of `jinja2.Environment`. */ | ||
| private DataFlow::TypeTrackingNode instance(DataFlow::TypeTracker t) { | ||
| t.start() and | ||
| result = EnvironmentClass::classRef().getACall() | ||
| or | ||
| exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t)) | ||
| } | ||
|
|
||
| /** Gets a reference to an instance of `jinja2.Environment`. */ | ||
| DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) } |
There was a problem hiding this comment.
I don't see why we need to use type tracking here. It looks to me like classRef().getAnInstance() would do the same thing.
There was a problem hiding this comment.
Changed.
In what sort of situations do we want to use type tracking as opposed to API graphs?
There was a problem hiding this comment.
In general, I would suggest using API graphs wherever possible, only using type tracking when API graphs are not sufficient. One example of where we do this is in the modelling of pathlib, where we want to observe that the / operator returns a Path object. Since the API graph (at present) doesn't have any way to reference the step from a to a / b (say) because the latter doesn't have a node in the API graph, we have to use type tracking instead.
In the glorious future when we get API graphs à la Ruby, we should be able to do this without using type trackers. (Well, apart from the two very general type(back)trackers that the API graph calculation is built upon.)
| private class Jinja2FromStringConstruction extends TemplateConstruction::Range, | ||
| DataFlow::MethodCallNode | ||
| { | ||
| Jinja2FromStringConstruction() { this.calls(EnvironmentClass::instance(), "from_string") } |
There was a problem hiding this comment.
This also seems like something we could push into the API graph layer, to make it slightly more general.
python/ql/test/library-tests/frameworks/django-v2-v3/template_test.py
Outdated
Show resolved
Hide resolved
|
Do we need a separate docs review from the docs team, or ok to merge as is? |
joefarebrother
added
the
ready-for-doc-review
|
👋🏼 @joefarebrother I'm not entirely sure if this requires a separate Docs review, so I've asked in #code-security-docs in Slack. cc @felicitymay or @saritai |
|
👋🏼 @joefarebrother I've confirmed with Felicity that this needs a docs review. For the reasoning, I'll share her Slack message:
I've added this to the Docs Content review board for a writer to review. |
`Cheetah` was excluded as it was last updated 15 years ago and its documentation links are dead.
Co-authored-by: Taus <[email protected]>
Co-authored-by: Ben Ahmady <[email protected]>
joefarebrother
force-pushed
the
python-promote-template-injection
branch
from
8a5e55b to
f82fa20
Compare
|
Updated test outputs - just needs re-approval if tests now pass |
Promotes the Template Injection query, originally submitted to the experimental query pack here.
Fixes a modeled
Jinja2sink to properly refer toEnvironment().from_string(); and promotes sinks from the other template frameworks included in the experimental version.Excludes the
Cheetahpackage as its documentation links are dead and its last update was 15 years ago.