fix(jinja2): detect lipsum and get_flashed_messages __globals__ SSTI gadgets#1728
Open
back2matching wants to merge 1 commit into
Open
fix(jinja2): detect lipsum and get_flashed_messages __globals__ SSTI gadgets#1728back2matching wants to merge 1 commit into
back2matching wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds the
lipsum.__globals__andget_flashed_messages.__globals__global-access gadgets toJINJA2_SSTI_PATTERNS["global_access"], plus a generic\.__globals__attribute pattern, and a regression test.This is a detection-quality improvement (a gadget-enumeration completeness gap), not a security-vulnerability report. The classic weaponized forms are already caught today, so nothing here is a practical bypass. Per
SECURITY.mdthis is the "detection quality / obfuscation outside implemented coverage" category, so I'm filing it as a normal PR rather than a private advisory.Why
The
global_accesslist already enumerates the sibling gadgetscycler,joiner,namespace,request.application, andconfig, but notlipsumorget_flashed_messages, both staples of public Jinja2 SSTI references.lipsumis a default Jinja2 global, so it's reachable in a plain chat-template render (the same pattern set the GGUFtokenizer.chat_templatepath uses).Two gaps, one fix:
lipsum/get_flashed_messageswere the only common global-access gadgets missing while their siblings are present.__globals__reach. The existing__globals__[pattern only catches the subscript form. Jinja2 resolvesa.bby attribute then item, sox.__globals__.osis a working construct whose source text contains no__globals__[and matched nothing before this change. The added\.__globals__pattern closes that generically and covers future gadget objects.Scope note: a fully weaponized payload usually still self-flags through its sink (e.g.
os.popen(/eval(), which is a separatecritical_injectionpattern, so this is a completeness/consistency hardening rather than a bypass fix. The sandboxed render probe is unaffected.Testing
tests/scanners/test_jinja2_template_scanner.py::TestJinja2TemplateScannerPatternCategories::test_detects_lipsum_and_get_flashed_messages_gadgetsscans{{ lipsum.__globals__.os }}and{{ get_flashed_messages.__globals__.os }}(benign markers, no exploit chain) and asserts both are flagged asglobal_access. It fails onmain(both produce zero findings) and passes with this change. Existing benign-template false-positive tests still pass (benign chat templates don't reference__globals__).uv run ruff check,uv run ruff format --check, anduv run mypyon the changed files are clean; the jinja2 scanner + detector suites pass.No operational exploit payloads are included; the gadget families referenced are long-public SSTI knowledge.