sstilisted

Detect Server-Side Template Injection where user input is passed as the template string itself rather than as template variables, enabling code execution.
Liaabnormal676/find-cve-agent · ★ 0 · AI & Automation · score 75

Install: claude install-skill Liaabnormal676/find-cve-agent

# SSTI Detection ## When to Use Audit template engines, email template systems, report generators, CMS systems, and any code that compiles templates from user input. ## Key Distinction - User input **IN the template string** = VULNERABLE (SSTI) - User input **IN template variables/context** = SAFE (this is normal template usage) ```js // VULNERABLE: user input IS the template ejs.render(userInput, data); // SAFE: user input is in the data, not the template ejs.render(templateFromFile, { name: userInput }); ``` **Auto-escaping does NOT help.** Auto-escaping prevents XSS in template OUTPUT, not code execution in template COMPILATION. ## Process ### Step 1: Find Template Compilation ``` # JavaScript grep -rn "Handlebars\.compile\|nunjucks\.renderString\|ejs\.render" . grep -rn "pug\.compile\|pug\.render\|mustache\.render" . grep -rn "template(\|compile(\|render(" . | grep -v node_modules # Python grep -rn "Template(\|from_string\|render_template_string" . grep -rn "Jinja2\|jinja2\|Environment\|render_string" . grep -rn "mako\.template\|Mako\|Template(" . # Ruby grep -rn "ERB\.new\|Erubi\|Slim\|Haml" . # PHP grep -rn "Twig.*createTemplate\|Twig.*Environment\|Blade\|Smarty" . ``` ### Step 2: Check if First Argument is User-Controlled For each template compilation call: 1. Is the template string hardcoded or loaded from a file? (SAFE) 2. Is the template string from user input? (VULNERABLE) 3. Is the template string from a database but originally user-supplied? (VULNE