Fix SSTI by escaping user input and removing tornado.template.Template usage for name parameter in server.py

[zeropath-ai]

Summary

• The Vulnerability Description: The application rendered user-supplied input (name parameter) using tornado.template.Template without sanitization, allowing attackers to inject Tornado template directives and potentially execute arbitrary code on the server (Server-Side Template Injection/SSTI).
• This Fix: The patch sanitizes user input by applying tornado.escape.xhtml_escape to the name parameter before inserting it into the template, preventing any template directives or malicious content from being executed.
• The Cause of the Issue: The root cause was directly embedding unsanitized user input into a template string that was then processed by Tornado’s template engine.
• The Patch Implementation: The code now escapes special HTML characters in the user input and removes the use of tornado.template.Template for rendering, instead directly replacing the placeholder and writing the safe string to the response.

Vulnerability Details

• Vulnerability Class: Server Side Template Injection (SSTI)
• Severity: 10.0
• Affected File: owasp-top10-2021-apps/a3/sstype/src/server.py
• Vulnerable Lines: 17-18

Code Snippets

diff --git a/owasp-top10-2021-apps/a3/sstype/src/server.py b/owasp-top10-2021-apps/a3/sstype/src/server.py
index 4455395f..bc6ac7b6 100644
--- a/owasp-top10-2021-apps/a3/sstype/src/server.py
+++ b/owasp-top10-2021-apps/a3/sstype/src/server.py
@@ -2,6 +2,7 @@ import tornado.template
 import tornado.ioloop
 import tornado.web
 import os
+import tornado.escape
 
 TEMPLATE = open(os.path.join(os.path.dirname(__file__)) + "/public/index.html", 'r').readlines()
 
@@ -13,9 +14,9 @@ class MainHandler(tornado.web.RequestHandler):
 
     def get(self):
         name = self.get_argument('name', '')
-        template_data = tmpl.replace("NAMEHERE",name)
-        t = tornado.template.Template(template_data)
-        self.write(t.generate(name=name))
+        safe_name = tornado.escape.xhtml_escape(name)
+        response = tmpl.replace("NAMEHERE", safe_name)
+        self.write(response)
 
 application = tornado.web.Application([
     (r"/", MainHandler),
@@ -24,4 +25,4 @@ application = tornado.web.Application([
 
 if __name__ == '__main__':
     application.listen(10001)
-    tornado.ioloop.IOLoop.instance().start()
\ No newline at end of file
+    tornado.ioloop.IOLoop.instance().start()

How to Modify the Patch

You can modify this patch by using one of the two methods outlined below. We recommend using the @zeropath-ai bot for updating the code. If you encounter any bugs or issues with the patch, please report them here.

Ask @zeropath-ai!

To request modifications, please post a comment beginning with @zeropath-ai and specify the changes required.

@zeropath-ai will then implement the requested adjustments and commit them to the specified branch in this pull request. Our bot is capable of managing changes across multiple files and various development-related requests.

Manually Modify the Files

# Checkout created branch:
git checkout zvuln_fix_server_side_template_injection_ssti_1751928062950432

# if vscode is installed run (or use your favorite editor / IDE):
code owasp-top10-2021-apps/a3/sstype/src/server.py

# Add, commit, and push changes:
git add -A
git commit -m "Update generated patch with x, y, and z changes."
git push zvuln_fix_server_side_template_injection_ssti_1751928062950432