mcp-server-semgrep/semgrep-rules/python/flask/security/audit/render-template-string.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: render-template-string
  pattern: flask.render_template_string(...)
  metadata:
    cwe:
    - "CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')"
    owasp:
    - A03:2021 - Injection
    references:
    - https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html
    category: security
    technology:
    - flask
    subcategory:
    - audit
    likelihood: LOW
    impact: MEDIUM
    confidence: LOW
  message: Found a template created with string formatting. This is susceptible to server-side template
    injection and cross-site scripting attacks.
  languages: [python]
  severity: WARNING