FIX Mitigate Jinja2 Server-Side Template Injection (SSTI) vulnerability#1577
Open
romanlutz wants to merge 6 commits intomicrosoft:mainfrom
Open
FIX Mitigate Jinja2 Server-Side Template Injection (SSTI) vulnerability#1577romanlutz wants to merge 6 commits intomicrosoft:mainfrom
romanlutz wants to merge 6 commits intomicrosoft:mainfrom
Conversation
Use SandboxedEnvironment instead of unsandboxed Environment/Template in
seed.py to block Python object traversal attacks (e.g. __class__.__mro__).
Add {% raw %}...{% endraw %} wrapping to 21 remote dataset loaders that
were passing fetched data directly into SeedPrompt/SeedObjective value
parameters without Jinja2 escaping. This prevents template injection
from poisoned remote datasets.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: adrian-gavrila <50029937+adrian-gavrila@users.noreply.github.com>
Verify that SandboxedEnvironment blocks Python object traversal
when a malicious payload uses {% endraw %} to escape a {% raw %}
wrapper. Tests both render_template_value and render_template_value_silent.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: adrian-gavrila <50029937+adrian-gavrila@users.noreply.github.com>
Replace remote fetch from GitHub URL with bundled JSON file to eliminate supply chain risk. The dataset (400 examples from KutalVolkan/many-shot-jailbreaking-dataset@5eac855) is now loaded from pyrit/datasets/jailbreak/many_shot_examples.json. Rename fetch_many_shot_jailbreaking_dataset to load_many_shot_jailbreaking_dataset and remove requests dependency. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: adrian-gavrila <50029937+adrian-gavrila@users.noreply.github.com>
Replace inline f-string raw wrapping across 31 remote dataset loaders with a shared escape_jinja_template_syntax() function in remote_dataset_loader.py. This makes the pattern discoverable and harder to forget when adding new loaders. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: adrian-gavrila <50029937+adrian-gavrila@users.noreply.github.com>
…ES_PATH The vendored JSON file is at datasets/jailbreak/, not datasets/jailbreak/templates/ — it's data, not a template. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: adrian-gavrila <50029937+adrian-gavrila@users.noreply.github.com>
romanlutz
force-pushed
the
fix/ssti-sandbox-environment
branch
from
47cad95 to
6b97a8b
Compare
rlundeen2
reviewed
Apr 7, 2026
rlundeen2
reviewed
Apr 7, 2026
romanlutz
force-pushed
the
fix/ssti-sandbox-environment
branch
from
9098c1c to
58b23aa
Compare
Add jinja_template field to Seed (default False). When False, __post_init__ automatically wraps the value in raw tags to prevent template injection. Trusted sources (from_yaml_file) set jinja_template=True to allow Jinja2 rendering. This eliminates the need for callers to remember escape_jinja_template_syntax(). Dataset loaders no longer need explicit escaping — SeedPrompt(value=remote_data) is safe by default. Propagation: SeedGroup and SeedDataset from_yaml_file overrides pass jinja_template=True through to nested seed construction. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: adrian-gavrila <50029937+adrian-gavrila@users.noreply.github.com>
romanlutz
force-pushed
the
fix/ssti-sandbox-environment
branch
from
58b23aa to
ab55b31
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
PyRIT's template rendering in
seed.pyused an unsandboxed Jinja2Environment, and 21 of 30 remote dataset loaders passed fetched data directly intoSeedPrompt(value=...)without escaping. SinceSeedPrompt.__post_init__rendersself.valueas a Jinja2 template, a poisoned remote dataset could achieve Python object traversal (e.g."".__class__.__mro__[1].__subclasses__()) — confirmed via proof-of-concept.The 9 loaders that did wrap values in
{% raw %}...{% endraw %}were also bypassable via{% endraw %}injection in the payload.Changes
Layer 1 — Sandbox the rendering engine (
seed.py)Environment()/Template()withSandboxedEnvironmentfromjinja2.sandbox__class__,__mro__,__subclasses__()and other unsafe attribute accessrender_template_value/render_template_value_silentLayer 2 — Escape untrusted data in remote dataset loaders
escape_jinja_template_syntax()helper inremote_dataset_loader.pyf"{{% raw %}}...{{% endraw %}}"patterns with the helperLayer 3 — Eliminate supply chain risk in many-shot jailbreak
pyrit/datasets/jailbreak/many_shot_examples.json- The dataset was provided by @KutalVolkan originally. For simplicity, we're including it here as well.requests.get()from GitHub URL with localjson.load()fetch_many_shot_jailbreaking_dataset→load_many_shot_jailbreaking_datasetRegression tests
test_render_template_value_blocks_ssti_via_endraw_injection— verifies sandbox blocks{% endraw %}escape attacktest_render_template_value_silent_blocks_ssti_via_endraw_injection— same for the silent rendering pathTesting
SecurityErrorwith sandbox, executes without