sast-sstilisted

# Server-Side Template Injection (SSTI) Detection You are performing a focused security assessment to find Server-Side Template Injection vulnerabilities in a codebase. This skill uses a three-phase approach with subagents: **recon** (find candidate rendering sites where the template string is dynamic), **batched verify** (trace whether user input reaches each site's template argument, in parallel batches of 3), and **merge** (consolidate batch results into the final report). **Prerequisites**: `sast/architecture.md` must exist. Run the analysis skill first if it doesn't. --- ## What is SSTI Server-Side Template Injection occurs when user-supplied input is embedded directly into a template string that is then evaluated by a template engine. Unlike passing user data as *context variables* to a static template, SSTI means the user can write template syntax that the engine will execute — leading to arbitrary code execution, file read, or full server compromise. The core pattern: *unvalidated user input is used as the template string passed to a template engine's render/compile/evaluate function.* ### What SSTI IS - Passing user input as the template string to be compiled or rendered: - `Template(user_input).render()` — Jinja2 - `env.from_string(user_input).render()` — Jinja2 - `render_template_string(user_input)` — Flask - `ejs.render(user_input, ctx)` — EJS (Node.js) - `nunjucks.renderString(user_input, ctx)` — Nunjucks - `Handlebars.compile(user_input)(ctx)