{"title":"Server-Side Template Injection via Jinja2 render_template_string()","language":"Python","severity":"Critical","cwe":"CWE-1336","source_lines":[8],"flow_lines":[8,9,11],"sink_lines":[11],"vulnerable_code":"from flask import Flask, request, render_template_string\nimport boto3\n\napp = Flask(__name__)\ns3_client = boto3.client('s3')\n\n@app.route('/cloud/bucket-report')\ndef generate_bucket_report():\n    bucket_name = request.args.get('bucket', 'default-bucket')\n    report_title = request.args.get('title', 'S3 Analytics')\n    template_markup = f\"<h1>{{{{ '{report_title}' }}}}</h1><p>Bucket: {bucket_name}</p><div>{{{{ user_content }}}}</div>\"\n    user_content = request.args.get('content', 'No additional data')\n    return render_template_string(template_markup, user_content=user_content)","explanation":"The report_title parameter from user input (line 8) is directly embedded into the Jinja2 template string via f-string formatting (line 9), then rendered by render_template_string() (line 11). This allows attackers to inject arbitrary Jinja2 template code that gets executed server-side, potentially leading to remote code execution.","remediation":"The fix eliminates the SSTI vulnerability by using a static Jinja2 template string with placeholder variables instead of embedding user input directly into the template via f-string formatting. All user-provided values (report_title, bucket_name, user_content) are now passed as context variables to render_template_string(), which automatically escapes them during rendering, preventing any template injection.","secure_code":"from flask import Flask, request, render_template_string\nfrom markupsafe import escape\nimport boto3\n\napp = Flask(__name__)\ns3_client = boto3.client('s3')\n\n@app.route('/cloud/bucket-report')\ndef generate_bucket_report():\n    bucket_name = request.args.get('bucket', 'default-bucket')\n    report_title = request.args.get('title', 'S3 Analytics')\n    user_content = request.args.get('content', 'No additional data')\n    template_markup = \"<h1>{{ report_title }}</h1><p>Bucket: {{ bucket_name }}</p><div>{{ user_content }}</div>\"\n    return render_template_string(template_markup, report_title=report_title, bucket_name=bucket_name, user_content=user_content)"}