{"title":"Jinja2 Server-Side Template Injection via render_template_string","language":"Python","severity":"Critical","cwe":"CWE-1336","source_lines":[8,9],"flow_lines":[8,10,11],"sink_lines":[11],"vulnerable_code":"from flask import Flask, request, render_template_string\nimport boto3\n\napp = Flask(__name__)\ns3_client = boto3.client('s3')\n\n@app.route('/cloud/bucket-report')\ndef generate_bucket_report():\n    bucket_name = request.args.get('bucket', 'default-bucket')\n    report_title = request.args.get('title', 'S3 Bucket Report')\n    template_str = f\"<html><body><h1>{report_title}</h1><p>Analyzing bucket: {bucket_name}</p></body></html>\"\n    return render_template_string(template_str)","explanation":"User-controlled input from request.args.get('title') and request.args.get('bucket') is directly interpolated into an f-string template and passed to render_template_string() without sanitization. This allows attackers to inject arbitrary Jinja2 template expressions that execute server-side, leading to Remote Code Execution.","remediation":"The fix eliminates the SSTI vulnerability by replacing the f-string interpolation with Jinja2's native template variable syntax ({{ variable }}). User-supplied values are passed as context parameters to render_template_string(), which automatically escapes them and prevents any injected Jinja2 expressions from being interpreted as template code.","secure_code":"from flask import Flask, request, render_template_string\nimport boto3\nfrom markupsafe import escape\n\napp = Flask(__name__)\ns3_client = boto3.client('s3')\n\n@app.route('/cloud/bucket-report')\ndef generate_bucket_report():\n    bucket_name = request.args.get('bucket', 'default-bucket')\n    report_title = request.args.get('title', 'S3 Bucket Report')\n    template_str = \"<html><body><h1>{{ report_title }}</h1><p>Analyzing bucket: {{ bucket_name }}</p></body></html>\"\n    return render_template_string(template_str, report_title=report_title, bucket_name=bucket_name)"}