sdk/python/Templating/PyStringTemplate

PyStringTemplate

string.Template and string.Formatter. Template($var) substitution is safe when placeholders are explicit. Formatter.format() with user-controlled format_spec is a format-string injection vector.

1 sink

Taint flow0 sources → 1 sink

Sinks — dangerous call

.Formatter()Advanced str

Sinks

— dangerous functions taint must not reach

.Formatter()Sink

Signature

string.Formatter() -> Formatter

Advanced str.format interface. Format-string injection sink when format string is user-controlled.

Other Methods

.Template()Neutral

Signature

string.Template(template: str) -> Template

Creates a $-substitution template. Neutral; substitute() is the rendering step.

Fully-Qualified Names

FQN	Field
string	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyStringTemplate

← PreviousPyReportlab

Next →PyWebencodings