# Jinja2 Server-Side Template Injection via Untrusted render_template_string Input

Language: Python
Severity: Critical
CWE: CWE-1336

## Source
9-10

## Flow
9-10-11-12

## Sink
12

## Vulnerable Code
```python
from flask import Flask, request, render_template_string
import boto3

app = Flask(__name__)
s3_client = boto3.client('s3')

@app.route('/cloud/bucket-report')
def generate_bucket_report():
    bucket_name = request.args.get('bucket', 'default-bucket')
    report_title = request.args.get('title', 'S3 Bucket Analysis')
    template_markup = f"<html><head><title>{report_title}</title></head><body><h1>AWS S3 Report</h1><p>Analyzing bucket: {bucket_name}</p></body></html>"
    return render_template_string(template_markup)
```

## Explanation

User-controlled input from request parameters 'bucket' and 'title' are directly interpolated into an f-string to construct HTML markup, which is then passed to render_template_string(). This allows attackers to inject Jinja2 template expressions that will be evaluated server-side, leading to remote code execution.

## Remediation

The fix replaces f-string interpolation of user input into the template string with Jinja2's native variable substitution using {{ }} placeholders. User-controlled values are passed as context variables to render_template_string(), which automatically escapes them, preventing any injected Jinja2 expressions from being interpreted as template code.

## Secure Code
```python
from flask import Flask, request, render_template_string
import boto3
from markupsafe import escape

app = Flask(__name__)
s3_client = boto3.client('s3')

@app.route('/cloud/bucket-report')
def generate_bucket_report():
    bucket_name = request.args.get('bucket', 'default-bucket')
    report_title = request.args.get('title', 'S3 Bucket Analysis')
    template_markup = "<html><head><title>{{ report_title }}</title></head><body><h1>AWS S3 Report</h1><p>Analyzing bucket: {{ bucket_name }}</p></body></html>"
    return render_template_string(template_markup, report_title=report_title, bucket_name=bucket_name)
```
