Python: Promote Template Injection query from experimental

[joefarebrother]

Promotes the Template Injection query, originally submitted to the experimental query pack here.

Fixes a modeled Jinja2 sink to properly refer to Environment().from_string(); and promotes sinks from the other template frameworks included in the experimental version.
Excludes the Cheetah package as its documentation links are dead and its last update was 15 years ago.

[github-actions]

QHelp previews:

python/ql/src/Security/CWE-074/TemplateInjection.qhelp

Server Side Template Injection

A template from a server templating engine such as Jinja constructed from user input can allow the user to execute arbitrary code using certain template features. It can also allow for cross-site scripting.

Recommendation

Ensure that an untrusted value is not used to directly construct a template. Jinja also provides a SandboxedEnvironment that prohibits access to unsafe methods and attributes, that can be used if constructing a template from user input is absolutely necessary.

Example

In the following case, template is used to generate a Jinja2 template string. This can lead to remote code execution.

from django.urls import path
from django.http import HttpResponse
from jinja2 import Template, escape


def a(request):
    template = request.GET['template']

    # BAD: Template is constructed from user input. 
    t = Template(template)

    name = request.GET['name']
    html = t.render(name=escape(name))
    return HttpResponse(html)


urlpatterns = [
    path('a', a),
]

The following is an example of a string that could be used to cause remote code execution when interpreted as a template:

{% for s in ().__class__.__base__.__subclasses__() %}{% if "warning" in s.__name__ %}{{s()._module.__builtins__['__import__']('os').system('cat /etc/passwd') }}{% endif %}{% endfor %}

In the following case, user input is not used to construct the template; rather is only used for as the parameters to render the template, which is safe.

from django.urls import path
from django.http import HttpResponse
from jinja2 import Template, escape


def a(request):
    # GOOD: Template is a constant, not constructed from user input
    t = Template("Hello, {{name}}!")

    name = request.GET['name']
    html = t.render(name=escape(name))
    return HttpResponse(html)


urlpatterns = [
    path('a', a),
]

In the following case, a SandboxedEnvironment is used, preventing remote code execution.

from django.urls import path
from django.http import HttpResponse
from jinja2 import escape
from jinja2.sandbox import SandboxedEnvironment


def a(request):
    env = SandboxedEnvironment()
    template = request.GET['template']

    # GOOD: A sandboxed environment is used to construct the template. 
    t = env.from_string(template)

    name = request.GET['name']
    html = t.render(name=escape(name))
    return HttpResponse(html)


urlpatterns = [
    path('a', a),
]

References

• Portswigger: Server-Side Template Injection.
• Common Weakness Enumeration: CWE-74.