SSTI
Definition
Server-Side Template Injection (SSTI) is a web security vulnerability that occurs when user input is unsafely embedded into server-side templates. This can allow an attacker to execute arbitrary code on the server, potentially leading to data theft, unauthorized access, or complete server compromise. SSTI exploits arise when the template engine processes untrusted input without proper validation or sanitization.
Secure Settings Example
from jinja2 import Environment, select_autoescape
# Secure configuration for Jinja2 template engine
env = Environment(
autoescape=select_autoescape(['html', 'xml']),
loader=FileSystemLoader('templates')
)
template = env.get_template('index.html')
output = template.render(user_input=escape(user_input)) # Ensure user input is escaped
Insecure Settings Example
from jinja2 import Template
# Insecure configuration allowing direct user input rendering
template = Template("Hello {{ user_input }}!")
output = template.render(user_input=user_input) # User input is not escaped