sdk/python/Templating/PyJinja2

PyJinja2

Jinja2 is the template engine behind Flask and many Python frameworks. Template(source).render() and Environment.from_string() evaluate template syntax — SSTI sink when the template source comes from user input. Autoescape only protects rendered output, not the template source itself.

2 sinks

Taint flow0 sources → 2 sinks

Sinks — dangerous call

.Template()Compiles a template from source

.Environment.from_string()Compiles a template from source using this environment

Sinks

— dangerous functions taint must not reach

.Template()Sink

Signature

jinja2.Template(source: str, ...) -> Template

Compiles a template from source. SSTI sink when source is user-controlled.

tracks:0

.Environment.from_string()Sink

Signature

Environment.from_string(source: str, ...) -> Template

Compiles a template from source using this environment. Same SSTI risk.

tracks:0

Other Methods

.render()Neutral

Signature

Template.render(**context) -> str

Renders a compiled template. Safe with autoescape=True on trusted templates; dangerous if the Template source itself was user-controlled.

Fully-Qualified Names

FQN	Field
jinja2	fqns[0]
jinja2.Template	fqns[1]
jinja2.Environment	fqns[2]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyJinja2

← PreviousPyHtml5lib

Next →PyMarkdown