Command injection in from_string function (SSTI)

[mostafa]

Expected Behavior

The from_string accepts parameters that are not escaped, so an attacker can inject code into the template.

Actual Behavior

Should escape anything passed.

Extra Information and Proof of Concept

https://github.com/JameelNabbo/Jinja2-Code-execution
https://www.exploit-db.com/exploits/46386

[davidism]

The user who created that repo and CVE doesn't know what they're talking about, and unfortunately now we're going to have to keep addressing it since they irresponsibly notified a bunch of people about a non-issue in an official sounding way. See https://github.com/JameelNabbo/Jinja2-Code-execution/issues/1 for a response to them. I've sent in a request to MITRE to have the CVE invalidated.

Saying Jinja has a vulnerability because from_string exists is like saying every dynamic language is vulnerable because eval exists, or every SQL library is vulnerable because they evaluate SQL strings. The issue isn't with those libraries, which all provide proper tools for handling user input. A SQL library doesn't have an injection vulnerability, a project using a SQL library improperly does.

SandboxedEnvironment should be used if you still want to risk compiling untrusted templates, and autoescape should be used when rendering untrusted variables.