Python : Add query to detect Server Side Template Injection

[porcupineyhairs]

CVE

This is a very common issue. Multiple blogs and hackerone reports cover this. I am including a few of them here.

1. uber.com may RCE by Flask Jinja2 Template Injection
2. RCE with Flask Jinja Template Injection
3. CVE-2019-8341 (disputed)
4. Exploring SSTI in Flask/Jinja2
5. Uber 遠端代碼執行- Uber.com Remote Code Execution via Flask Jinja2 Template Injection
6. Jinja2 Server Side Template Injection Research

Report

This query detects instances where user input is embedded in a template in an unsafe manner.

The PR adds support for multiple Python templating engines. As of now it covers

1. Django Templating Engine
2. Jinja Templating Engine[7000 stars]
3. Chameleon Templating Engine [106 stars]
4. Mako Tempalteing Engine [81 stars]
5. Genshi Templating Engine [35 stars]
6. Trender Templating Engine[16 stars]
7. cheetah
8. chevron
9. airspeed

The PR also includes tests along with well documented code.

Link to the PR:[github/codeql#3396]

--- Edit history: 25 June : updated the list of template engines and added a few references in the cve section.

[anticomputer]

Hi @porcupineyhairs,

I'm working on generating a TP result set based on your PR. I am so far unable to generate a TP result even with e.g. the PoC app mentioned from issue #6 in your CVE section (which is a PoC app).

Would you be able to provide a ql db for a vulnerable project that your query generates a TP result against?

[porcupineyhairs]

Status update.

The query run failed due to 2 small underlying issues which are now fixed. A rerun of the query against LGTM databases resulted in 20 detections in 13 independent projects. All of which are true positives. I am in the process of reporting them. I will open a separate issue in the Bug Slayer category if these result in 4 CVE's.

[xcorail]

Created Hackerone report 944359 for bounty 235114 : [93] Python : Add query to detect Server Side Template Injection 🎉