Jinja: Command injection in from_string function (SSTI)

Created on 18 Feb 2019  路  1Comment  路  Source: pallets/jinja

Expected Behavior

The from_string accepts parameters that are not escaped, so an attacker can inject code into the template.

Actual Behavior

Should escape anything passed.

Extra Information and Proof of Concept

https://github.com/JameelNabbo/Jinja2-Code-execution
https://www.exploit-db.com/exploits/46386

picture mostafa

Most helpful comment

The user who created that repo and CVE doesn't know what they're talking about, and unfortunately now we're going to have to keep addressing it since they irresponsibly notified a bunch of people about a non-issue in an official sounding way. See https://github.com/JameelNabbo/Jinja2-Code-execution/issues/1 for a response to them. I've sent in a request to MITRE to have the CVE invalidated.

Saying Jina has a vulnerability because from_string exists is like saying every dynamic language is vulnerable because eval exists, or every SQL library is vulnerable because they evaluate SQL strings. The issue isn't with those libraries, which all provide proper tools for handling user input. A SQL library doesn't have an injection vulnerability, a project using a SQL library improperly does.

SandboxedEnvironment should be used if you still want to risk compiling untrusted templates, and autoescape should be used when rendering untrusted variables.

picture davidism on 18 Feb 2019
👍6

>All comments

The user who created that repo and CVE doesn't know what they're talking about, and unfortunately now we're going to have to keep addressing it since they irresponsibly notified a bunch of people about a non-issue in an official sounding way. See https://github.com/JameelNabbo/Jinja2-Code-execution/issues/1 for a response to them. I've sent in a request to MITRE to have the CVE invalidated.

Saying Jina has a vulnerability because from_string exists is like saying every dynamic language is vulnerable because eval exists, or every SQL library is vulnerable because they evaluate SQL strings. The issue isn't with those libraries, which all provide proper tools for handling user input. A SQL library doesn't have an injection vulnerability, a project using a SQL library improperly does.

SandboxedEnvironment should be used if you still want to risk compiling untrusted templates, and autoescape should be used when rendering untrusted variables.

davidism picture davidism on 18 Feb 2019
👍6
Was this page helpful?
0 / 5 - 0 ratings

Related issues

glasserc picture glasserc  路  4Comments
htgoebel picture htgoebel  路  4Comments
samatjain picture samatjain  路  5Comments
mitsuhiko picture mitsuhiko  路  3Comments
nalzok picture nalzok  路  5Comments