Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Python : Add query to detect Server Side Template Injection #93

Closed
porcupineyhairs opened this issue May 21, 2020 · 3 comments
Closed

Python : Add query to detect Server Side Template Injection #93

porcupineyhairs opened this issue May 21, 2020 · 3 comments
Labels

Comments

@porcupineyhairs
Copy link

@porcupineyhairs porcupineyhairs commented May 21, 2020

CVE

This is a very common issue. Multiple blogs and hackerone reports cover this. I am including a few of them here.

  1. uber.com may RCE by Flask Jinja2 Template Injection
  2. RCE with Flask Jinja Template Injection
  3. CVE-2019-8341 (disputed)
  4. Exploring SSTI in Flask/Jinja2
  5. Uber 遠端代碼執行- Uber.com Remote Code Execution via Flask Jinja2 Template Injection
  6. Jinja2 Server Side Template Injection Research

Report

This query detects instances where user input is embedded in a template in an unsafe manner.

The PR adds support for multiple Python templating engines. As of now it covers

  1. Django Templating Engine
  2. Jinja Templating Engine[7000 stars]
  3. Chameleon Templating Engine [106 stars]
  4. Mako Tempalteing Engine [81 stars]
  5. Genshi Templating Engine [35 stars]
  6. Trender Templating Engine[16 stars]
  7. cheetah
  8. chevron
  9. airspeed

The PR also includes tests along with well documented code.

Link to the PR:[github/codeql#3396]

--- Edit history:
25 June : updated the list of template engines and added a few references in the cve section.

@anticomputer
Copy link
Contributor

@anticomputer anticomputer commented Jul 20, 2020

Hi @porcupineyhairs,

I'm working on generating a TP result set based on your PR. I am so far unable to generate a TP result even with e.g. the PoC app mentioned from issue #6 in your CVE section (which is a PoC app).

Would you be able to provide a ql db for a vulnerable project that your query generates a TP result against?

@porcupineyhairs
Copy link
Author

@porcupineyhairs porcupineyhairs commented Jul 22, 2020

Status update.

The query run failed due to 2 small underlying issues which are now fixed. A rerun of the query against LGTM databases resulted in 20 detections in 13 independent projects. All of which are true positives. I am in the process of reporting them. I will open a separate issue in the Bug Slayer category if these result in 4 CVE's.

@xcorail
Copy link
Contributor

@xcorail xcorail commented Jul 27, 2020

Created Hackerone report 944359 for bounty 235114 : [93] Python : Add query to detect Server Side Template Injection 🎉

@xcorail xcorail closed this Jul 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.