new capacity bits (#67)

tests/fixtures/ssti/python/safe_jinja_constant.py

@@ -0,0 +1,9 @@
+# Safe: jinja2.Template receives a constant template source.  Variables
+# passed at render time are not template source and do not activate SSTI.
+from jinja2 import Template
+from flask import request
+
+
+def handler():
+    t = Template("Hello, {{ name }}")
+    return t.render(name=request.args.get("name"))

tests/fixtures/ssti/python/safe_mako_lookup_constant.py

@@ -0,0 +1,9 @@
+# Safe: Mako TemplateLookup.get_template receives a literal template name.
+# No tainted flow into the loader-path argument, no SSTI.
+from mako.lookup import TemplateLookup
+
+
+def handler():
+    lookup = TemplateLookup(directories=["/srv/templates"])
+    template = lookup.get_template("home.mako")
+    return template.render(user="anon")

tests/fixtures/ssti/python/safe_render_template_var.py

@@ -0,0 +1,8 @@
+# Safe-template-var: Flask `render_template("file.html", **vars)`.  The
+# first arg is a *file path* (constant), variables carry user input but
+# never become template source.  Must NOT fire SSTI.
+from flask import render_template, request
+
+
+def handler():
+    return render_template("greeting.html", name=request.args.get("name"))

tests/fixtures/ssti/python/unsafe_jinja_compile_expression.py

@@ -0,0 +1,11 @@
+# Unsafe: jinja2 Environment.compile_expression accepts an arbitrary
+# expression source; tainted input compiles into an executable callable.
+from jinja2 import Environment
+from flask import request
+
+
+def handler():
+    env = Environment()
+    expr_src = request.form["expr"]
+    expr = env.compile_expression(expr_src)
+    return str(expr({}))

tests/fixtures/ssti/python/unsafe_jinja_get_template.py

@@ -0,0 +1,13 @@
+# Unsafe: Jinja2 Environment.get_template receives an attacker-controlled
+# template name.  Tainted name lets the attacker swap the resolved template,
+# yielding arbitrary template execution.  Modeled as SSTI on the loader-path
+# argument.
+from jinja2 import Environment, FileSystemLoader
+from flask import request
+
+
+def handler():
+    name = request.args.get("page")
+    env = Environment(loader=FileSystemLoader("/srv/templates"))
+    template = env.get_template(name)
+    return template.render(user="anon")

tests/fixtures/ssti/python/unsafe_jinja_template.py

@@ -0,0 +1,10 @@
+# Unsafe: jinja2.Template receives a template *source* string built from
+# request data.  SSTI fires on the source argument.
+from jinja2 import Template
+from flask import request
+
+
+def handler():
+    src = request.form["template"]
+    t = Template(src)
+    return t.render(user="anon")

tests/fixtures/ssti/python/unsafe_mako_lookup_get_template.py

@@ -0,0 +1,13 @@
+# Unsafe: Mako TemplateLookup.get_template receives an attacker-controlled
+# template name.  A tainted name lets the attacker pick which file under the
+# loader directory becomes the rendered template — arbitrary template
+# execution, modeled as SSTI.
+from mako.lookup import TemplateLookup
+from flask import request
+
+
+def handler():
+    name = request.args.get("name")
+    lookup = TemplateLookup(directories=["/srv/templates"])
+    template = lookup.get_template(name)
+    return template.render(user="anon")