Python Flask Uncontrolled Format String
Description
Detects uncontrolled string formatting in Flask applications where user input could be interpolated into response templates. This vulnerability could allow attackers to inject and execute arbitrary template expressions, potentially leading to server-side template injection (SSTI) attacks.
Detection Strategy
• Verifies if Flask framework is imported in the application code
• Identifies Flask response handling methods that process template strings
• Checks for unsafe string formatting operations in template rendering
• Reports a vulnerability when user-controlled input can be interpolated into template strings without proper sanitization
Vulnerable code example
from flask import Flask, request
from string import Formatter
app = Flask(__name__)
@app.route('/unsafe')
def unsafe_format():
# VULNERABLE: User-controlled format string enables template injection...✅ Secure code example
from flask import Flask, request
from string import Template # Use Template instead of Formatter for user input
app = Flask(__name__)
@app.route('/safe')
def safe_format():
user_input = request.args.get('msg', '')...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.