Frappe ERPNext Server-Side Template Injection Vulnerability in Contract Template Management

A server-side template injection (SSTI) vulnerability has been identified in Frappe ERPNext versions through 15.89.0. The issue arises in the 'get_contract_template' method, where user-controlled Jinja2 templates are rendered using 'frappe.render_template()' with a context that can be manipulated by the user. Despite Frappe's implementation of a custom SandboxedEnvironment, several dangerous globals, including 'frappe.db.sql', remain accessible through 'get_safe_globals()', allowing for potential exploitation. An authenticated attacker with the ability to create or modify contract templates can inject arbitrary Jinja expressions into the 'contract_terms' field. This exploitation could lead to the execution of server-side code in a restricted but still hazardous context, with the possibility of leaking sensitive database information.

Impact

Exploitation of this vulnerability allows authenticated attackers to execute arbitrary Jinja2 expressions, leading to server-side code execution within a restricted context. This could be used to execute SQL queries, potentially disclosing sensitive database information.

Reproduction

To reproduce this vulnerability, an authenticated user must create or edit a contract template in ERPNext. During this process, inject a Jinja2 payload into the 'Contract Terms' field. Once the template is saved, the payload will be stored but not executed immediately. The vulnerability can then be triggered by directly calling the 'get_contract_template' method via the API, which will process the injected payload, render it, and return the executed output in the response.