File tree Expand file tree Collapse file tree 8 files changed +16
-21
lines changed
experimental/semmle/python/templates
test/experimental/CWE-074 Expand file tree Collapse file tree 8 files changed +16
-21
lines changed Original file line number Diff line number Diff line change @@ -17,7 +17,7 @@ ClassValue theCheetahTemplateClass() { result = Value::named("Cheetah.Template.T
1717 * contents = 'Hello World!'
1818 * t3 = Template3("sink")
1919 *
20- * This should also detect cases of the following type :
20+ * This will also detect cases of the following type :
2121 *
2222 * from Cheetah.Template import Template
2323 * t3 = Template("sink")
Original file line number Diff line number Diff line change @@ -17,7 +17,7 @@ Value theJinja2FromStringValue() { result = Value::named("jinja2.from_string") }
1717 * template = Template(`sink`)
1818 */
1919class Jinja2TemplateSink extends SSTISink {
20- override string toString ( ) { result = "argument to Jinja2.template ()" }
20+ override string toString ( ) { result = "argument to jinja2.Template ()" }
2121
2222 Jinja2TemplateSink ( ) {
2323 exists ( CallNode call |
@@ -30,13 +30,13 @@ class Jinja2TemplateSink extends SSTISink {
3030}
3131
3232/**
33- * Sink representing the `jinja2.Template` class instantiation argument.
33+ * Sink representing the `jinja2.from_string` function call argument.
3434 *
35- * from jinja2 import Template
36- * template = Template (`sink`)
35+ * from jinja2 import from_string
36+ * template = from_string (`sink`)
3737 */
3838class Jinja2FromStringSink extends SSTISink {
39- override string toString ( ) { result = "argument to Jinja2 .from_string()" }
39+ override string toString ( ) { result = "argument to jinja2 .from_string()" }
4040
4141 Jinja2FromStringSink ( ) {
4242 exists ( CallNode call |
Original file line number Diff line number Diff line change @@ -2,6 +2,6 @@ import semmle.python.dataflow.TaintTracking
22
33/**
44 * A generic taint sink that is vulnerable to template inclusions.
5- * The `temp` in `Jinja2 .Template(temp)` and similar.
5+ * The `temp` in `jinja2 .Template(temp)` and similar.
66 */
77abstract class SSTISink extends TaintSink { }
Original file line number Diff line number Diff line change 11import python
2- import semmle.python.dataflow.TaintTracking
32
43abstract class Template extends Module { }
54
Original file line number Diff line number Diff line change 55app = Flask (__name__ )
66
77
8- @app .route ("/" )
9-
10-
118@route ('/other' )
129def a ():
1310 template = request .args .get ('template' )
Original file line number Diff line number Diff line change @@ -12,7 +12,7 @@ def home():
1212
1313
1414@app .route ("/a" )
15- def home ():
15+ def a ():
1616 import flask
1717 return flask .render_template_string (request .args .get ('template' ))
1818
Original file line number Diff line number Diff line change 44from jinja2 import Environment , DictLoader , escape
55
66
7- def j (request ):
7+ def a (request ):
88 # Load the template
99 template = request .GET ['template' ]
1010 t = Jinja2_Template (template )
@@ -13,7 +13,7 @@ def j(request):
1313 html = t .render (name = escape (name ))
1414 return HttpResponse (html )
1515
16- def j2 (request ):
16+ def b (request ):
1717 import jinja2
1818 # Load the template
1919 template = request .GET ['template' ]
@@ -25,6 +25,6 @@ def j2(request):
2525
2626
2727urlpatterns = [
28- path ('' , jinja ),
29- path ('' , jinja2 )
28+ path ('a ' , a ),
29+ path ('b ' , b )
3030]
Original file line number Diff line number Diff line change 22from django .http import HttpResponse
33from trender import TRender
44
5- urlpatterns = [
6- path ('' , trender )
7- ]
8-
9-
105def trender (request ):
116 template = request .GET ['template' ]
127 compiled = TRender (template )
138 return HttpResponse (compiled )
9+
10+ urlpatterns = [
11+ path ('' , trender )
12+ ]
You can’t perform that action at this time.
0 commit comments