SSTI in code blocks and inline code?

retypeapp / retype

Retype is an ✨ ultra-high-performance✨ static site generator that builds a website based on simple text files.

https://retype.com

Other

1.08k stars 204 forks source link

SSTI in code blocks and inline code? #366

Closed caueb closed 2 years ago

caueb commented 2 years ago

It seems that there is a server-side template injection in the code block/inline code.

When I try to add a code block or inline code like {{ 7*7 }} it actually renders 49. Or if I add {{ 7*'7' }} it renders as 7777777.

Expected behavior: I use retype to take notes and document penetration testing techniques, and need to be able to create code blocks or inline code such as the above mentioned.

geoffreymcgill commented 2 years ago

Yes, those code snippets are getting picked up by the Templating engine. There are a couple options:

Option 1

Disable templating within your project by adding the following config to your retype.yml project file.

templating:
    enabled: false

Option 2

Escape those {{ }} code samples by wrapping with {% %}.

Your sample would be revised to the following:

Not-escaped
{{ 7*7 }}

Escaped
{%{{ 7*7 }}%}

Hope this helps.

caueb commented 2 years ago

Thank you @geoffreymcgill, that solves my problem. Feel free to close the issue.