Merge pull request #5935 from porcupineyhairs/javaSstiNew

Java : Add SSTI query

java/ql/src/experimental/Security/CWE/CWE-094/SSTIBad.java

@@ -0,0 +1,19 @@
+@Controller
+public class VelocitySSTI {
+
+	@GetMapping(value = "bad")
+	public void bad(HttpServletRequest request) {
+		Velocity.init();
+
+		String code = request.getParameter("code");
+
+		VelocityContext context = new VelocityContext();
+
+		context.put("name", "Velocity");
+		context.put("project", "Jakarta");
+
+		StringWriter w = new StringWriter();
+		// evaluate( Context context, Writer out, String logTag, String instring )
+		Velocity.evaluate(context, w, "mystring", code);
+	}
+}

java/ql/src/experimental/Security/CWE/CWE-094/SSTIGood.java

@@ -0,0 +1,17 @@
+@Controller
+public class VelocitySSTI {
+
+	@GetMapping(value = "good")
+	public void good(HttpServletRequest request) {
+		Velocity.init();
+		VelocityContext context = new VelocityContext();
+
+		context.put("name", "Velocity");
+		context.put("project", "Jakarta");
+
+		String s = "We are using $project $name to render this.";
+		StringWriter w = new StringWriter();
+		Velocity.evaluate(context, w, "mystring", s);
+		System.out.println(" string : " + w);
+	}
+}

java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qhelp

@@ -0,0 +1,31 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+            Template Injection occurs when user input is embedded in a template in an unsafe manner.
+            An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side. This permits the attacker to run arbitrary code in the server's context.</p>
+  </overview>
+  <recommendation>
+    <p>
+            To fix this, ensure that an untrusted value is not used as a template. If the application requirements do not allow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited.
+        </p>
+  </recommendation>
+  <example>
+    <p>
+      In the example given below, an untrusted HTTP parameter
+      <code>code</code>
+      is used as a Velocity template string. This can lead to remote code execution.
+    </p>
+    <sample src="SSTIBad.java" />
+
+    <p>
+      In the next example the problem is avoided by using a fixed template string
+      <code>s</code>
+      . Since, the template is not attacker controlled in this case, we prevent untrusted code execution.
+    </p>
+    <sample src="SSTIGood.java" />
+  </example>
+  <references>
+    <li>Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)</li>
+  </references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Server Side Template Injection
+ * @description Untrusted input used as a template parameter can lead to remote code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/server-side-template-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ */
+
+import java
+import TemplateInjection
+import DataFlow::PathGraph
+
+from TemplateInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Potential arbitrary code execution due to $@.",
+  source.getNode(), "a template value loaded from a remote source."

java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll

@@ -0,0 +1,209 @@
+/** Definitions related to the Server Side Template Injection (SSTI) query. */
+
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.FlowSources
+import experimental.semmle.code.java.frameworks.FreeMarker
+import experimental.semmle.code.java.frameworks.Velocity
+import experimental.semmle.code.java.frameworks.JinJava
+import experimental.semmle.code.java.frameworks.Pebble
+import experimental.semmle.code.java.frameworks.Thymeleaf
+
+/** A taint tracking configuration to reason about Server Side Template Injection (SSTI) vulnerabilities */
+class TemplateInjectionFlowConfig extends TaintTracking::Configuration {
+  TemplateInjectionFlowConfig() { this = "TemplateInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node prev, DataFlow::Node succ) {
+    exists(AdditionalFlowStep a | a.isAdditionalTaintStep(prev, succ))
+  }
+}
+
+/**
+ * A data flow sink for Server Side Template Injection (SSTI) vulnerabilities
+ */
+abstract private class Sink extends DataFlow::ExprNode { }
+
+/**
+ * A data flow step for Server Side Template Injection (SSTI) vulnerabilities
+ */
+private class AdditionalFlowStep extends Unit {
+  abstract predicate isAdditionalTaintStep(DataFlow::Node prev, DataFlow::Node succ);
+}
+
+/**
+ * An argument to FreeMarker template engine's `process` method call.
+ */
+private class FreeMarkerProcessSink extends Sink {
+  FreeMarkerProcessSink() {
+    exists(MethodAccess m |
+      m.getCallee() instanceof MethodFreeMarkerTemplateProcess and
+      m.getArgument(0) = this.getExpr()
+    )
+  }
+}
+
+/**
+ * An reader passed an argument to FreeMarker template engine's `Template`
+ *   construtor call.
+ */
+private class FreeMarkerConstructorSink extends Sink {
+  FreeMarkerConstructorSink() {
+    // Template(java.lang.String name, java.io.Reader reader)
+    // Template(java.lang.String name, java.io.Reader reader, Configuration cfg)
+    // Template(java.lang.String name, java.io.Reader reader, Configuration cfg, java.lang.String encoding)
+    // Template(java.lang.String name, java.lang.String sourceName, java.io.Reader reader, Configuration cfg)
+    // Template(java.lang.String name, java.lang.String sourceName, java.io.Reader reader, Configuration cfg, ParserConfiguration customParserConfiguration, java.lang.String encoding)
+    // Template(java.lang.String name, java.lang.String sourceName, java.io.Reader reader, Configuration cfg, java.lang.String encoding)
+    exists(ConstructorCall cc, Expr e |
+      cc.getConstructor().getDeclaringType() instanceof TypeFreeMarkerTemplate and
+      e = cc.getAnArgument() and
+      (
+        e.getType().(RefType).hasQualifiedName("java.io", "Reader") and
+        this.asExpr() = e
+      )
+    )
+    or
+    exists(ConstructorCall cc |
+      cc.getConstructor().getDeclaringType() instanceof TypeFreeMarkerTemplate and
+      // Template(java.lang.String name, java.lang.String sourceCode, Configuration cfg)
+      cc.getNumArgument() = 3 and
+      cc.getArgument(1).getType() instanceof TypeString and
+      this.asExpr() = cc.getArgument(1)
+    )
+  }
+}
+
+/**
+ * An argument to FreeMarker template engine's `putTemplate` method call.
+ */
+private class FreeMarkerStringTemplateLoaderPutTemplateSink extends Sink {
+  FreeMarkerStringTemplateLoaderPutTemplateSink() {
+    exists(MethodAccess ma |
+      this.asExpr() = ma.getArgument(1) and
+      ma.getMethod() instanceof MethodFreeMarkerStringTemplateLoaderPutTemplate
+    )
+  }
+}
+
+/**
+ * An argument to Pebble template engine's `getLiteralTemplate` or `getTemplate` method call.
+ */
+private class PebbleGetTemplateSinkTemplateSink extends Sink {
+  PebbleGetTemplateSinkTemplateSink() {
+    exists(MethodAccess ma |
+      this.asExpr() = ma.getArgument(0) and
+      ma.getMethod() instanceof MethodPebbleGetTemplate
+    )
+  }
+}
+
+/**
+ * An argument to JinJava template engine's `render` or `renderForResult` method call.
+ */
+private class JinjavaRenderSink extends Sink {
+  JinjavaRenderSink() {
+    exists(MethodAccess ma |
+      this.asExpr() = ma.getArgument(0) and
+      (
+        ma.getMethod() instanceof MethodJinjavaRenderForResult
+        or
+        ma.getMethod() instanceof MethodJinjavaRender
+      )
+    )
+  }
+}
+
+/**
+ * An argument to ThymeLeaf template engine's `process` method call.
+ */
+private class ThymeLeafRenderSink extends Sink {
+  ThymeLeafRenderSink() {
+    exists(MethodAccess ma |
+      this.asExpr() = ma.getArgument(0) and
+      ma.getMethod() instanceof MethodThymeleafProcess
+    )
+  }
+}
+
+/**
+ * Tainted data flowing into a Velocity Context through `put` method taints the context.
+ */
+private class VelocityContextFlow extends AdditionalFlowStep {
+  override predicate isAdditionalTaintStep(DataFlow::Node prev, DataFlow::Node succ) {
+    exists(MethodAccess m | m.getMethod() instanceof MethodVelocityContextPut |
+      m.getArgument(1) = prev.asExpr() and
+      succ.asExpr() = m.getQualifier()
+    )
+  }
+}
+
+/**
+ * An argument to Velocity template engine's `mergeTemplate` method call.
+ */
+private class VelocityMergeTempSink extends Sink {
+  VelocityMergeTempSink() {
+    exists(MethodAccess m |
+      // static boolean	mergeTemplate(String templateName, String encoding, Context context, Writer writer)
+      m.getCallee() instanceof MethodVelocityMergeTemplate and
+      m.getArgument(2) = this.getExpr()
+    )
+  }
+}
+
+/**
+ * An argument to Velocity template engine's `mergeTemplate` method call.
+ */
+private class VelocityMergeSink extends Sink {
+  VelocityMergeSink() {
+    exists(MethodAccess m |
+      m.getCallee() instanceof MethodVelocityMerge and
+      // public void merge(Context context, Writer writer)
+      // public void merge(Context context, Writer writer, List<String> macroLibraries)
+      m.getArgument(0) = this.getExpr()
+    )
+  }
+}
+
+/**
+ * An argument to Velocity template engine's `evaluate` method call.
+ */
+private class VelocityEvaluateSink extends Sink {
+  VelocityEvaluateSink() {
+    exists(MethodAccess m |
+      m.getCallee() instanceof MethodVelocityEvaluate and
+      m.getArgument([0, 3]) = this.getExpr()
+    )
+  }
+}
+
+/**
+ * An argument to Velocity template engine's `parse` method call.
+ */
+private class VelocityParseSink extends Sink {
+  VelocityParseSink() {
+    exists(MethodAccess ma |
+      this.asExpr() = ma.getArgument(0) and
+      ma.getMethod() instanceof MethodVelocityParse
+    )
+  }
+}
+
+/**
+ * An argument to Velocity template engine's `putStringResource` method call.
+ */
+private class VelocityPutStringResSink extends Sink {
+  VelocityPutStringResSink() {
+    exists(MethodAccess ma |
+      this.asExpr() = ma.getArgument(1) and
+      ma.getMethod() instanceof MethodVelocityPutStringResource
+    )
+  }
+}

java/ql/src/experimental/semmle/code/java/frameworks/FreeMarker.qll

@@ -0,0 +1,29 @@
+/** Definitions related to the FreeMarker Templating library. */
+
+import java
+
+/** The `Template` class of the FreeMarker Template Engine */
+class TypeFreeMarkerTemplate extends Class {
+  TypeFreeMarkerTemplate() { this.hasQualifiedName("freemarker.template", "Template") }
+}
+
+/** The `process` method of the FreeMarker Template Engine's `Template` class */
+class MethodFreeMarkerTemplateProcess extends Method {
+  MethodFreeMarkerTemplateProcess() {
+    this.getDeclaringType() instanceof TypeFreeMarkerTemplate and
+    this.hasName("process")
+  }
+}
+
+/** The `StringTemplateLoader` class of the FreeMarker Template Engine */
+class TypeFreeMarkerStringLoader extends Class {
+  TypeFreeMarkerStringLoader() { this.hasQualifiedName("freemarker.cache", "StringTemplateLoader") }
+}
+
+/** The `process` method of the FreeMarker Template Engine's `StringTemplateLoader` class */
+class MethodFreeMarkerStringTemplateLoaderPutTemplate extends Method {
+  MethodFreeMarkerStringTemplateLoaderPutTemplate() {
+    this.getDeclaringType() instanceof TypeFreeMarkerStringLoader and
+    this.hasName("putTemplate")
+  }
+}

java/ql/src/experimental/semmle/code/java/frameworks/JinJava.qll

@@ -0,0 +1,24 @@
+/** Definitions related to the Jinjava Templating library. */
+
+import java
+
+/** The `Jinjava` class of the Jinjava Templating Engine. */
+class TypeJinjava extends Class {
+  TypeJinjava() { this.hasQualifiedName("com.hubspot.jinjava", "Jinjava") }
+}
+
+/** The `render` method of the Jinjava Templating Engine. */
+class MethodJinjavaRender extends Method {
+  MethodJinjavaRender() {
+    this.getDeclaringType() instanceof TypeJinjava and
+    this.hasName("render")
+  }
+}
+
+/** The `render` method of the Jinjava Templating Engine. */
+class MethodJinjavaRenderForResult extends Method {
+  MethodJinjavaRenderForResult() {
+    this.getDeclaringType() instanceof TypeJinjava and
+    this.hasName("renderForResult")
+  }
+}

java/ql/src/experimental/semmle/code/java/frameworks/Pebble.qll

@@ -0,0 +1,16 @@
+/** Definitions related to the Pebble Templating library. */
+
+import java
+
+/** The `PebbleEngine` class of the Pebble Templating Engine. */
+class TypePebbleEngine extends Class {
+  TypePebbleEngine() { this.hasQualifiedName("com.mitchellbosecke.pebble", "PebbleEngine") }
+}
+
+/** The `getTemplate` method of the Pebble Templating Engine. */
+class MethodPebbleGetTemplate extends Method {
+  MethodPebbleGetTemplate() {
+    this.getDeclaringType() instanceof TypePebbleEngine and
+    this.hasName(["getTemplate", "getLiteralTemplate"])
+  }
+}

java/ql/src/experimental/semmle/code/java/frameworks/Thymeleaf.qll

@@ -0,0 +1,25 @@
+/** Definitions related to the Thymeleaf Templating library. */
+
+import java
+
+/**
+ * A class implementing the `ITemplateEngine` interface of the Thymeleaf
+ * Templating Engine such as the `TemplateEngine` class.
+ */
+class TypeThymeleafTemplateEngine extends Class {
+  TypeThymeleafTemplateEngine() {
+    this.hasQualifiedName("org.thymeleaf", "TemplateEngine")
+    or
+    exists(Type t | this.getASupertype*().extendsOrImplements(t) |
+      t.hasName("org.thymeleaf.ITemplateEngine")
+    )
+  }
+}
+
+/** The `process` or `processThrottled` method of the Thymeleaf Templating Engine. */
+class MethodThymeleafProcess extends Method {
+  MethodThymeleafProcess() {
+    this.getDeclaringType() instanceof TypeThymeleafTemplateEngine and
+    this.hasName(["process", "processThrottled"])
+  }
+}

java/ql/src/experimental/semmle/code/java/frameworks/Velocity.qll

@@ -0,0 +1,119 @@
+/** Definitions related to the Apache Velocity Templating library. */
+
+import java
+
+/** The `org.apache.velocity.context.AbstractContext` class of the Velocity Templating Engine. */
+class TypeVelocityAbstractContext extends Class {
+  TypeVelocityAbstractContext() {
+    this.hasQualifiedName("org.apache.velocity.context", "AbstractContext")
+  }
+}
+
+/** The `org.apache.velocity.runtime.RuntimeServices` class of the Velocity Templating Engine. */
+class TypeVelocityRuntimeRuntimeServices extends Class {
+  TypeVelocityRuntimeRuntimeServices() {
+    this.hasQualifiedName("org.apache.velocity.runtime", "RuntimeServices")
+  }
+}
+
+/** The `org.apache.velocity.Template` class of the Velocity Templating Engine. */
+class TypeVelocityTemplate extends Class {
+  TypeVelocityTemplate() { this.hasQualifiedName("org.apache.velocity", "Template") }
+}
+
+/** The `org.apache.velocity.runtime.RuntimeSingleton` classTemplating Engine. */
+class TypeVelocityRuntimeRuntimeSingleton extends Class {
+  TypeVelocityRuntimeRuntimeSingleton() {
+    this.hasQualifiedName("org.apache.velocity.runtime", "RuntimeSingleton")
+  }
+}
+
+/** The `org.apache.velocity.VelocityEngine` class of the Velocity Templating Engine. */
+class TypeVelocityVelocityEngine extends Class {
+  TypeVelocityVelocityEngine() { this.hasQualifiedName("org.apache.velocity", "VelocityEngine") }
+}
+
+/** The `org.apache.velocity.app.VelocityEngine` class of the Velocity Templating Engine. */
+class TypeVelocityAppVelocityEngine extends RefType {
+  TypeVelocityAppVelocityEngine() {
+    this.hasQualifiedName("org.apache.velocity.app", "VelocityEngine")
+  }
+}
+
+/** The `org.apache.velocity.app.Velocity` class of the Velocity Templating Engine. */
+class TypeVelocityAppVelocity extends RefType {
+  TypeVelocityAppVelocity() { this.hasQualifiedName("org.apache.velocity.app", "Velocity") }
+}
+
+/**
+ * The `org.apache.velocity.runtime.resource.util.StringResourceRepository` interface
+ * of the Velocity Templating Engine.
+ */
+class TypeVelocityStringResourceRepo extends RefType {
+  TypeVelocityStringResourceRepo() {
+    this.hasQualifiedName("org.apache.velocity.runtime.resource.util", "StringResourceRepository")
+  }
+}
+
+/** The `internalPut` and `put` methods of the Velocity Templating Engine. */
+class MethodVelocityContextPut extends Method {
+  MethodVelocityContextPut() {
+    this.getDeclaringType().getASupertype*() instanceof TypeVelocityAbstractContext and
+    this.hasName(["put", "internalPut"])
+  }
+}
+
+/** The `evaluate` method of the Velocity Templating Engine. */
+class MethodVelocityEvaluate extends Method {
+  MethodVelocityEvaluate() {
+    // static boolean evaluate(Context context, Writer out, String logTag, String instring)
+    // static boolean evaluate(Context context, Writer writer, String logTag, Reader reader)
+    (
+      this.getDeclaringType() instanceof TypeVelocityAppVelocity or
+      this.getDeclaringType() instanceof TypeVelocityAppVelocityEngine or
+      this.getDeclaringType().getASupertype*() instanceof TypeVelocityRuntimeRuntimeServices
+    ) and
+    this.hasName("evaluate")
+  }
+}
+
+/** The `mergeTemplate` method of the Velocity Templating Engine. */
+class MethodVelocityMergeTemplate extends Method {
+  MethodVelocityMergeTemplate() {
+    // static boolean	mergeTemplate(String templateName, String encoding, Context context, Writer writer)
+    (
+      this.getDeclaringType() instanceof TypeVelocityAppVelocity or
+      this.getDeclaringType() instanceof TypeVelocityAppVelocityEngine
+    ) and
+    this.hasName("mergeTemplate")
+  }
+}
+
+/** The `merge` method of the Velocity Templating Engine. */
+class MethodVelocityMerge extends Method {
+  MethodVelocityMerge() {
+    // void merge(Context context, Writer writer)
+    // void merge(Context context, Writer writer, List<String> macroLibraries)
+    this.getDeclaringType() instanceof TypeVelocityTemplate and
+    this.hasName("merge")
+  }
+}
+
+/** The `parse` method of the Velocity Templating Engine. */
+class MethodVelocityParse extends Method {
+  MethodVelocityParse() {
+    (
+      this.getDeclaringType().getASupertype*() instanceof TypeVelocityRuntimeRuntimeSingleton or
+      this.getDeclaringType().getASupertype*() instanceof TypeVelocityRuntimeRuntimeServices
+    ) and
+    this.hasName("parse")
+  }
+}
+
+/** The `putStringResource` method of the Velocity Templating Engine. */
+class MethodVelocityPutStringResource extends Method {
+  MethodVelocityPutStringResource() {
+    this.getDeclaringType().getASupertype*() instanceof TypeVelocityStringResourceRepo and
+    this.hasName("putStringResource")
+  }
+}

java/ql/test/experimental/query-tests/security/CWE-094/FreemarkerSSTI.java

@@ -0,0 +1,132 @@
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+import java.lang.String;
+import java.io.Reader;
+import java.io.StringReader;
+import java.io.OutputStreamWriter;
+import java.util.HashMap;
+
+import freemarker.template.Template;
+import freemarker.template.Configuration;
+import freemarker.cache.StringTemplateLoader;
+import freemarker.template.ParserConfiguration;
+
+@Controller
+public class FreemarkerSSTI {
+	String sourceName = "sourceName";
+
+	@GetMapping(value = "bad1")
+	public void bad1(HttpServletRequest request) {
+		String name = "ttemplate";
+		String code = request.getParameter("code");
+		Reader reader = new StringReader(code);
+
+		// Template(java.lang.String name, java.io.Reader reader)
+		Template t = new Template(name, reader);
+	}
+
+	@GetMapping(value = "bad2")
+	public void bad2(HttpServletRequest request) {
+		String name = "ttemplate";
+		String code = request.getParameter("code");
+		Reader reader = new StringReader(code);
+		Configuration cfg = new Configuration();
+		
+		// Template(java.lang.String name, java.io.Reader reader, Configuration cfg)
+		Template t = new Template(name, reader, cfg);
+	}
+
+	@GetMapping(value = "bad3")
+	public void bad3(HttpServletRequest request) {
+		String name = "ttemplate";
+		String code = request.getParameter("code");
+		Reader reader = new StringReader(code);
+		Configuration cfg = new Configuration();
+
+		// Template(java.lang.String name, java.io.Reader reader, Configuration cfg,
+		// java.lang.String encoding)
+		Template t = new Template(name, reader, cfg, "UTF-8");
+	}
+
+	@GetMapping(value = "bad4")
+	public void bad4(HttpServletRequest request) {
+		String name = "ttemplate";
+		String sourceCode = request.getParameter("sourceCode");
+		Configuration cfg = new Configuration();
+
+		// Template(java.lang.String name, java.lang.String sourceCode, Configuration
+		// cfg)
+		Template t = new Template(name, sourceCode, cfg);
+	}
+
+	@GetMapping(value = "bad5")
+	public void bad5(HttpServletRequest request) {
+		String name = "ttemplate";
+		String code = request.getParameter("code");
+		Configuration cfg = new Configuration();
+		Reader reader = new StringReader(code);
+
+		// Template(java.lang.String name, java.lang.String sourceName, java.io.Reader
+		// reader, Configuration cfg)
+		Template t = new Template(name, sourceName, reader, cfg);
+	}
+
+	@GetMapping(value = "bad6")
+	public void bad6(HttpServletRequest request) {
+		String name = "ttemplate";
+		String code = request.getParameter("code");
+		Configuration cfg = new Configuration();
+		ParserConfiguration customParserConfiguration = new Configuration();
+		Reader reader = new StringReader(code);
+
+		// Template(java.lang.String name, java.lang.String sourceName, java.io.Reader
+		// reader, Configuration cfg, ParserConfiguration customParserConfiguration,
+		// java.lang.String encoding)
+		Template t = new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8");
+	}
+
+	@GetMapping(value = "bad7")
+	public void bad7(HttpServletRequest request) {
+		String name = "ttemplate";
+		String code = request.getParameter("code");
+		Configuration cfg = new Configuration();
+		ParserConfiguration customParserConfiguration = new Configuration();
+		Reader reader = new StringReader(code);
+
+		// Template(java.lang.String name, java.lang.String sourceName, java.io.Reader
+		// reader, Configuration cfg, java.lang.String encoding)
+		Template t = new Template(name, sourceName, reader, cfg, "UTF-8");
+	}
+
+	@GetMapping(value = "bad8")
+	public void bad8(HttpServletRequest request) {
+		String code = request.getParameter("code");
+		StringTemplateLoader stringLoader = new StringTemplateLoader();
+
+		// void putTemplate(java.lang.String name, java.lang.String templateContent)
+		stringLoader.putTemplate("myTemplate", code);
+	}
+
+	@GetMapping(value = "bad9")
+	public void bad9(HttpServletRequest request) {
+		String code = request.getParameter("code");
+		StringTemplateLoader stringLoader = new StringTemplateLoader();
+		
+		// void putTemplate(java.lang.String name, java.lang.String templateContent,
+		// long lastModified)
+		stringLoader.putTemplate("myTemplate", code, 0);
+	}
+
+	@GetMapping(value = "bad10")
+	public void bad10(HttpServletRequest request) {
+		HashMap root = new HashMap();
+		String code = request.getParameter("code");
+        root.put("code", code);
+		Configuration cfg = new Configuration();
+        Template temp = cfg.getTemplate("test.ftlh");        
+        OutputStreamWriter out = new OutputStreamWriter(System.out);
+        temp.process(root, out);
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-094/JinJavaSSTI.java

@@ -0,0 +1,48 @@
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+import java.lang.String;
+import java.io.Reader;
+import java.io.StringReader;
+import java.util.HashMap;
+import java.util.Map;
+
+import com.hubspot.jinjava.*;
+import com.hubspot.jinjava.JinjavaConfig;
+import com.hubspot.jinjava.interpret.*;
+
+@Controller
+public class JinJavaSSTI {
+	String sourceName = "sourceName";
+
+	@GetMapping(value = "bad1")
+	public void bad1(HttpServletRequest request) {
+		String template = request.getParameter("template");
+		Jinjava jinjava = new Jinjava();
+		Map<String, Object> context = new HashMap<>();
+		// String render(String template, Map<String, ?> bindings)
+		String renderedTemplate = jinjava.render(template, context);
+	}
+
+	@GetMapping(value = "bad2")
+	public void bad2(HttpServletRequest request) {
+		String template = request.getParameter("template");
+		Jinjava jinjava = new Jinjava();
+		Map<String, Object> bindings = new HashMap<>();
+		// RenderResult renderForResult (String template, Map<String, ?> bindings)
+		RenderResult renderResult = jinjava.renderForResult(template, bindings);
+	}
+
+	@GetMapping(value = "bad3")
+	public void bad3(HttpServletRequest request) {
+		String template = request.getParameter("template");
+		Jinjava jinjava = new Jinjava();
+		Map<String, Object> bindings = new HashMap<>();
+		JinjavaConfig renderConfig = new JinjavaConfig();
+
+		// RenderResult renderForResult (String template, Map<String, ?> bindings,
+		// JinjavaConfig renderConfig)
+		RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig);
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-094/PebbleSSTI.java

@@ -0,0 +1,30 @@
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+import java.lang.String;
+import java.io.Reader;
+import java.io.StringReader;
+
+import com.mitchellbosecke.pebble.PebbleEngine;
+import com.mitchellbosecke.pebble.template.*;
+
+@Controller
+public class PebbleSSTI {
+	String sourceName = "sourceName";
+
+	@GetMapping(value = "bad1")
+	public void bad1(HttpServletRequest request) {
+		String code = request.getParameter("code");
+		PebbleEngine engine = new PebbleEngine.Builder().build();
+		// public PebbleTemplate getTemplate(String templateName) 
+		PebbleTemplate compiledTemplate = engine.getTemplate(code);
+	}
+	@GetMapping(value = "bad2")
+	public void bad2(HttpServletRequest request) {
+		String code = request.getParameter("code");
+		PebbleEngine engine = new PebbleEngine.Builder().build();
+		// public PebbleTemplate getLiteralTemplate(String templateName) 
+		PebbleTemplate compiledTemplate = engine.getLiteralTemplate(code);
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-094/TemplateInjection.expected

@@ -0,0 +1,136 @@
+edges
+| FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | FreemarkerSSTI.java:24:36:24:39 | code : String |
+| FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:27:35:27:40 | reader |
+| FreemarkerSSTI.java:24:36:24:39 | code : String | FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:33:17:33:44 | getParameter(...) : String | FreemarkerSSTI.java:34:36:34:39 | code : String |
+| FreemarkerSSTI.java:34:19:34:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:38:35:38:40 | reader |
+| FreemarkerSSTI.java:34:36:34:39 | code : String | FreemarkerSSTI.java:34:19:34:40 | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:44:17:44:44 | getParameter(...) : String | FreemarkerSSTI.java:45:36:45:39 | code : String |
+| FreemarkerSSTI.java:45:19:45:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:50:35:50:40 | reader |
+| FreemarkerSSTI.java:45:36:45:39 | code : String | FreemarkerSSTI.java:45:19:45:40 | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:56:23:56:56 | getParameter(...) : String | FreemarkerSSTI.java:61:35:61:44 | sourceCode |
+| FreemarkerSSTI.java:67:17:67:44 | getParameter(...) : String | FreemarkerSSTI.java:69:36:69:39 | code : String |
+| FreemarkerSSTI.java:69:19:69:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:73:47:73:52 | reader |
+| FreemarkerSSTI.java:69:36:69:39 | code : String | FreemarkerSSTI.java:69:19:69:40 | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:79:17:79:44 | getParameter(...) : String | FreemarkerSSTI.java:82:36:82:39 | code : String |
+| FreemarkerSSTI.java:82:19:82:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:87:47:87:52 | reader |
+| FreemarkerSSTI.java:82:36:82:39 | code : String | FreemarkerSSTI.java:82:19:82:40 | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | FreemarkerSSTI.java:96:36:96:39 | code : String |
+| FreemarkerSSTI.java:96:19:96:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:100:47:100:52 | reader |
+| FreemarkerSSTI.java:96:36:96:39 | code : String | FreemarkerSSTI.java:96:19:96:40 | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:105:17:105:44 | getParameter(...) : String | FreemarkerSSTI.java:109:42:109:45 | code |
+| FreemarkerSSTI.java:114:17:114:44 | getParameter(...) : String | FreemarkerSSTI.java:119:42:119:45 | code |
+| FreemarkerSSTI.java:125:17:125:44 | getParameter(...) : String | FreemarkerSSTI.java:126:26:126:29 | code : String |
+| FreemarkerSSTI.java:126:9:126:12 | root [post update] [<map.value>] : String | FreemarkerSSTI.java:130:22:130:25 | root |
+| FreemarkerSSTI.java:126:26:126:29 | code : String | FreemarkerSSTI.java:126:9:126:12 | root [post update] [<map.value>] : String |
+| JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | JinJavaSSTI.java:25:44:25:51 | template |
+| JinJavaSSTI.java:30:21:30:52 | getParameter(...) : String | JinJavaSSTI.java:34:55:34:62 | template |
+| JinJavaSSTI.java:39:21:39:52 | getParameter(...) : String | JinJavaSSTI.java:46:55:46:62 | template |
+| PebbleSSTI.java:18:17:18:44 | getParameter(...) : String | PebbleSSTI.java:21:56:21:59 | code |
+| PebbleSSTI.java:25:17:25:44 | getParameter(...) : String | PebbleSSTI.java:28:63:28:66 | code |
+| ThymeleafSSTI.java:22:17:22:44 | getParameter(...) : String | ThymeleafSSTI.java:27:27:27:30 | code |
+| VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | VelocitySSTI.java:38:45:38:48 | code |
+| VelocitySSTI.java:44:17:44:44 | getParameter(...) : String | VelocitySSTI.java:50:42:50:45 | code : String |
+| VelocitySSTI.java:50:25:50:46 | new StringReader(...) : StringReader | VelocitySSTI.java:53:45:53:50 | reader |
+| VelocitySSTI.java:50:42:50:45 | code : String | VelocitySSTI.java:50:25:50:46 | new StringReader(...) : StringReader |
+| VelocitySSTI.java:59:17:59:44 | getParameter(...) : String | VelocitySSTI.java:62:42:62:45 | code : String |
+| VelocitySSTI.java:62:25:62:46 | new StringReader(...) : StringReader | VelocitySSTI.java:63:25:63:30 | reader |
+| VelocitySSTI.java:62:42:62:45 | code : String | VelocitySSTI.java:62:25:62:46 | new StringReader(...) : StringReader |
+| VelocitySSTI.java:69:17:69:44 | getParameter(...) : String | VelocitySSTI.java:77:21:77:27 | context |
+| VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | VelocitySSTI.java:89:60:89:66 | context |
+| VelocitySSTI.java:95:17:95:44 | getParameter(...) : String | VelocitySSTI.java:102:11:102:17 | context |
+| VelocitySSTI.java:108:17:108:44 | getParameter(...) : String | VelocitySSTI.java:115:11:115:17 | context |
+| VelocitySSTI.java:120:17:120:44 | getParameter(...) : String | VelocitySSTI.java:123:37:123:40 | code |
+nodes
+| FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:24:36:24:39 | code : String | semmle.label | code : String |
+| FreemarkerSSTI.java:27:35:27:40 | reader | semmle.label | reader |
+| FreemarkerSSTI.java:33:17:33:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:34:19:34:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:34:36:34:39 | code : String | semmle.label | code : String |
+| FreemarkerSSTI.java:38:35:38:40 | reader | semmle.label | reader |
+| FreemarkerSSTI.java:44:17:44:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:45:19:45:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:45:36:45:39 | code : String | semmle.label | code : String |
+| FreemarkerSSTI.java:50:35:50:40 | reader | semmle.label | reader |
+| FreemarkerSSTI.java:56:23:56:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:61:35:61:44 | sourceCode | semmle.label | sourceCode |
+| FreemarkerSSTI.java:67:17:67:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:69:19:69:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:69:36:69:39 | code : String | semmle.label | code : String |
+| FreemarkerSSTI.java:73:47:73:52 | reader | semmle.label | reader |
+| FreemarkerSSTI.java:79:17:79:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:82:19:82:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:82:36:82:39 | code : String | semmle.label | code : String |
+| FreemarkerSSTI.java:87:47:87:52 | reader | semmle.label | reader |
+| FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:96:19:96:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:96:36:96:39 | code : String | semmle.label | code : String |
+| FreemarkerSSTI.java:100:47:100:52 | reader | semmle.label | reader |
+| FreemarkerSSTI.java:105:17:105:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:109:42:109:45 | code | semmle.label | code |
+| FreemarkerSSTI.java:114:17:114:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:119:42:119:45 | code | semmle.label | code |
+| FreemarkerSSTI.java:125:17:125:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:126:9:126:12 | root [post update] [<map.value>] : String | semmle.label | root [post update] [<map.value>] : String |
+| FreemarkerSSTI.java:126:26:126:29 | code : String | semmle.label | code : String |
+| FreemarkerSSTI.java:130:22:130:25 | root | semmle.label | root |
+| JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JinJavaSSTI.java:25:44:25:51 | template | semmle.label | template |
+| JinJavaSSTI.java:30:21:30:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JinJavaSSTI.java:34:55:34:62 | template | semmle.label | template |
+| JinJavaSSTI.java:39:21:39:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JinJavaSSTI.java:46:55:46:62 | template | semmle.label | template |
+| PebbleSSTI.java:18:17:18:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| PebbleSSTI.java:21:56:21:59 | code | semmle.label | code |
+| PebbleSSTI.java:25:17:25:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| PebbleSSTI.java:28:63:28:66 | code | semmle.label | code |
+| ThymeleafSSTI.java:22:17:22:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| ThymeleafSSTI.java:27:27:27:30 | code | semmle.label | code |
+| VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:38:45:38:48 | code | semmle.label | code |
+| VelocitySSTI.java:44:17:44:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:50:25:50:46 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| VelocitySSTI.java:50:42:50:45 | code : String | semmle.label | code : String |
+| VelocitySSTI.java:53:45:53:50 | reader | semmle.label | reader |
+| VelocitySSTI.java:59:17:59:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:62:25:62:46 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| VelocitySSTI.java:62:42:62:45 | code : String | semmle.label | code : String |
+| VelocitySSTI.java:63:25:63:30 | reader | semmle.label | reader |
+| VelocitySSTI.java:69:17:69:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:77:21:77:27 | context | semmle.label | context |
+| VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:89:60:89:66 | context | semmle.label | context |
+| VelocitySSTI.java:95:17:95:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:102:11:102:17 | context | semmle.label | context |
+| VelocitySSTI.java:108:17:108:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:115:11:115:17 | context | semmle.label | context |
+| VelocitySSTI.java:120:17:120:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:123:37:123:40 | code | semmle.label | code |
+subpaths
+#select
+| FreemarkerSSTI.java:27:35:27:40 | reader | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | FreemarkerSSTI.java:27:35:27:40 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) | a template value loaded from a remote source. |
+| FreemarkerSSTI.java:38:35:38:40 | reader | FreemarkerSSTI.java:33:17:33:44 | getParameter(...) : String | FreemarkerSSTI.java:38:35:38:40 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:33:17:33:44 | getParameter(...) | a template value loaded from a remote source. |
+| FreemarkerSSTI.java:50:35:50:40 | reader | FreemarkerSSTI.java:44:17:44:44 | getParameter(...) : String | FreemarkerSSTI.java:50:35:50:40 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:44:17:44:44 | getParameter(...) | a template value loaded from a remote source. |
+| FreemarkerSSTI.java:61:35:61:44 | sourceCode | FreemarkerSSTI.java:56:23:56:56 | getParameter(...) : String | FreemarkerSSTI.java:61:35:61:44 | sourceCode | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:56:23:56:56 | getParameter(...) | a template value loaded from a remote source. |
+| FreemarkerSSTI.java:73:47:73:52 | reader | FreemarkerSSTI.java:67:17:67:44 | getParameter(...) : String | FreemarkerSSTI.java:73:47:73:52 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:67:17:67:44 | getParameter(...) | a template value loaded from a remote source. |
+| FreemarkerSSTI.java:87:47:87:52 | reader | FreemarkerSSTI.java:79:17:79:44 | getParameter(...) : String | FreemarkerSSTI.java:87:47:87:52 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:79:17:79:44 | getParameter(...) | a template value loaded from a remote source. |
+| FreemarkerSSTI.java:100:47:100:52 | reader | FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | FreemarkerSSTI.java:100:47:100:52 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:93:17:93:44 | getParameter(...) | a template value loaded from a remote source. |
+| FreemarkerSSTI.java:109:42:109:45 | code | FreemarkerSSTI.java:105:17:105:44 | getParameter(...) : String | FreemarkerSSTI.java:109:42:109:45 | code | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:105:17:105:44 | getParameter(...) | a template value loaded from a remote source. |
+| FreemarkerSSTI.java:119:42:119:45 | code | FreemarkerSSTI.java:114:17:114:44 | getParameter(...) : String | FreemarkerSSTI.java:119:42:119:45 | code | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:114:17:114:44 | getParameter(...) | a template value loaded from a remote source. |
+| FreemarkerSSTI.java:130:22:130:25 | root | FreemarkerSSTI.java:125:17:125:44 | getParameter(...) : String | FreemarkerSSTI.java:130:22:130:25 | root | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:125:17:125:44 | getParameter(...) | a template value loaded from a remote source. |
+| JinJavaSSTI.java:25:44:25:51 | template | JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | JinJavaSSTI.java:25:44:25:51 | template | Potential arbitrary code execution due to $@. | JinJavaSSTI.java:21:21:21:52 | getParameter(...) | a template value loaded from a remote source. |
+| JinJavaSSTI.java:34:55:34:62 | template | JinJavaSSTI.java:30:21:30:52 | getParameter(...) : String | JinJavaSSTI.java:34:55:34:62 | template | Potential arbitrary code execution due to $@. | JinJavaSSTI.java:30:21:30:52 | getParameter(...) | a template value loaded from a remote source. |
+| JinJavaSSTI.java:46:55:46:62 | template | JinJavaSSTI.java:39:21:39:52 | getParameter(...) : String | JinJavaSSTI.java:46:55:46:62 | template | Potential arbitrary code execution due to $@. | JinJavaSSTI.java:39:21:39:52 | getParameter(...) | a template value loaded from a remote source. |
+| PebbleSSTI.java:21:56:21:59 | code | PebbleSSTI.java:18:17:18:44 | getParameter(...) : String | PebbleSSTI.java:21:56:21:59 | code | Potential arbitrary code execution due to $@. | PebbleSSTI.java:18:17:18:44 | getParameter(...) | a template value loaded from a remote source. |
+| PebbleSSTI.java:28:63:28:66 | code | PebbleSSTI.java:25:17:25:44 | getParameter(...) : String | PebbleSSTI.java:28:63:28:66 | code | Potential arbitrary code execution due to $@. | PebbleSSTI.java:25:17:25:44 | getParameter(...) | a template value loaded from a remote source. |
+| ThymeleafSSTI.java:27:27:27:30 | code | ThymeleafSSTI.java:22:17:22:44 | getParameter(...) : String | ThymeleafSSTI.java:27:27:27:30 | code | Potential arbitrary code execution due to $@. | ThymeleafSSTI.java:22:17:22:44 | getParameter(...) | a template value loaded from a remote source. |
+| VelocitySSTI.java:38:45:38:48 | code | VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | VelocitySSTI.java:38:45:38:48 | code | Potential arbitrary code execution due to $@. | VelocitySSTI.java:31:17:31:44 | getParameter(...) | a template value loaded from a remote source. |
+| VelocitySSTI.java:53:45:53:50 | reader | VelocitySSTI.java:44:17:44:44 | getParameter(...) : String | VelocitySSTI.java:53:45:53:50 | reader | Potential arbitrary code execution due to $@. | VelocitySSTI.java:44:17:44:44 | getParameter(...) | a template value loaded from a remote source. |
+| VelocitySSTI.java:63:25:63:30 | reader | VelocitySSTI.java:59:17:59:44 | getParameter(...) : String | VelocitySSTI.java:63:25:63:30 | reader | Potential arbitrary code execution due to $@. | VelocitySSTI.java:59:17:59:44 | getParameter(...) | a template value loaded from a remote source. |
+| VelocitySSTI.java:77:21:77:27 | context | VelocitySSTI.java:69:17:69:44 | getParameter(...) : String | VelocitySSTI.java:77:21:77:27 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:69:17:69:44 | getParameter(...) | a template value loaded from a remote source. |
+| VelocitySSTI.java:89:60:89:66 | context | VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | VelocitySSTI.java:89:60:89:66 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:83:17:83:44 | getParameter(...) | a template value loaded from a remote source. |
+| VelocitySSTI.java:102:11:102:17 | context | VelocitySSTI.java:95:17:95:44 | getParameter(...) : String | VelocitySSTI.java:102:11:102:17 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:95:17:95:44 | getParameter(...) | a template value loaded from a remote source. |
+| VelocitySSTI.java:115:11:115:17 | context | VelocitySSTI.java:108:17:108:44 | getParameter(...) : String | VelocitySSTI.java:115:11:115:17 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:108:17:108:44 | getParameter(...) | a template value loaded from a remote source. |
+| VelocitySSTI.java:123:37:123:40 | code | VelocitySSTI.java:120:17:120:44 | getParameter(...) : String | VelocitySSTI.java:123:37:123:40 | code | Potential arbitrary code execution due to $@. | VelocitySSTI.java:120:17:120:44 | getParameter(...) | a template value loaded from a remote source. |

java/ql/test/experimental/query-tests/security/CWE-094/TemplateInjection.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-094/TemplateInjection.ql

java/ql/test/experimental/query-tests/security/CWE-094/ThymeleafSSTI.java

@@ -0,0 +1,31 @@
+import javax.imageio.stream.FileImageInputStream;
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+import java.lang.String;
+import java.io.File;
+import java.io.FileWriter;
+import java.io.Reader;
+import java.io.StringReader;
+import java.io.Writer;
+
+import org.thymeleaf.*;
+import org.thymeleaf.context.Context;
+
+@Controller
+public class ThymeleafSSTI {
+	String sourceName = "sourceName";
+
+	@GetMapping(value = "bad1")
+	public void bad1(HttpServletRequest request) {
+		String code = request.getParameter("code");
+		Context ctx = new Context();
+		try {
+			FileWriter fw = new FileWriter(new File("as"));
+			TemplateEngine templateEngine = new TemplateEngine();
+			templateEngine.process(code, ctx, fw);
+		} catch (Exception e) {
+		}
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-094/VelocitySSTI.java

@@ -0,0 +1,126 @@
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+import java.lang.String;
+import java.io.Reader;
+import java.io.StringReader;
+import java.io.OutputStreamWriter;
+import java.io.InputStream;
+import java.io.StringWriter;
+import java.util.HashMap;
+import java.util.LinkedList;
+
+import org.apache.velocity.VelocityContext;
+import org.apache.velocity.context.AbstractContext;
+import org.apache.velocity.context.Context;
+import org.apache.velocity.Template;
+import org.apache.velocity.app.Velocity;
+import org.apache.velocity.app.VelocityEngine;
+import org.apache.velocity.runtime.RuntimeServices;
+import org.apache.velocity.runtime.resource.util.StringResourceRepository;
+import org.apache.velocity.runtime.resource.util.StringResourceRepositoryImpl;
+
+@Controller
+public class VelocitySSTI {
+	String sourceName = "sourceName";
+
+	@GetMapping(value = "bad1")
+	public void bad1(HttpServletRequest request) {
+		String name = "ttemplate";
+		String code = request.getParameter("code");
+
+		VelocityContext context = null;
+
+		String s = "We are using $project $name to render this.";
+		StringWriter w = new StringWriter();
+		// evaluate( Context context, Writer out, String logTag, String instring )
+		Velocity.evaluate(context, w, "mystring", code);
+	}
+
+	@GetMapping(value = "bad2")
+	public void bad2(HttpServletRequest request) {
+		String name = "ttemplate";
+		String code = request.getParameter("code");
+
+		VelocityContext context = null;
+
+		String s = "We are using $project $name to render this.";
+		StringWriter w = new StringWriter();
+		StringReader reader = new StringReader(code);
+
+		// evaluate(Context context, Writer writer, String logTag, Reader reader)
+		Velocity.evaluate(context, w, "mystring", reader);
+	}
+
+	@GetMapping(value = "bad3")
+	public void bad3(HttpServletRequest request) {
+		String name = "ttemplate";
+		String code = request.getParameter("code");
+
+		RuntimeServices runtimeServices = new RuntimeServices();
+		StringReader reader = new StringReader(code);
+		runtimeServices.parse(reader, new Template());
+	}
+
+	@GetMapping(value = "bad4")
+	public void bad4(HttpServletRequest request) {
+		String name = "ttemplate";
+		String code = request.getParameter("code");
+
+		VelocityContext context = new VelocityContext();
+		context.put("code", code);
+
+		StringWriter w = new StringWriter();
+		StringReader reader = new StringReader("test");
+
+		Velocity.evaluate(context, w, "mystring", reader);
+	}
+
+	@GetMapping(value = "bad5")
+	public void bad5(HttpServletRequest request) {
+		String name = "ttemplate";
+		String code = request.getParameter("code");
+
+		VelocityContext context = new VelocityContext();
+		context.put("code", code);
+
+		StringWriter w = new StringWriter();
+		VelocityEngine.mergeTemplate("testtemplate.vm", "UTF-8", context, w);
+	}
+
+	@GetMapping(value = "bad6")
+	public void bad6(HttpServletRequest request) {
+		String name = "ttemplate";
+		String code = request.getParameter("code");
+
+		VelocityContext context = new VelocityContext();
+		context.put("code", code);
+
+		StringWriter w = new StringWriter();
+		Template t = new Template();
+		t.merge(context, w);
+	}
+
+	@GetMapping(value = "bad7")
+	public void bad7(HttpServletRequest request) {
+		String name = "ttemplate";
+		String code = request.getParameter("code");
+
+		VelocityContext context = new VelocityContext();
+		context.put("code", code);
+
+		StringWriter w = new StringWriter();
+		Template t = new Template();
+		t.merge(context, w, new LinkedList<String>());
+	}
+
+	@GetMapping(value = "bad8")
+	public void bad8(HttpServletRequest request) {
+		String code = request.getParameter("code");
+
+		StringResourceRepository repo = new StringResourceRepositoryImpl();
+		repo.putStringResource("woogie2", code);
+
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-094/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13:${testdir}/../../../../stubs/bsh-2.0b5:${testdir}/../../../../experimental/stubs/jshell
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13:${testdir}/../../../../stubs/bsh-2.0b5:${testdir}/../../../../experimental/stubs/jshell:${testdir}/../../../../experimental/stubs/apache-freemarker-2.3.31:${testdir}/../../../../experimental/stubs/jinjava-2.6.0:${testdir}/../../../../experimental/stubs/pebble-3.1.5:${testdir}/../../../../experimental/stubs/thymeleaf-3.0.14:${testdir}/../../../../experimental/stubs/apache-velocity-2.3

java/ql/test/experimental/stubs/apache-freemarker-2.3.31/freemarker/cache/StringTemplateLoader.java

@@ -0,0 +1,7 @@
+package freemarker.cache;
+
+public class StringTemplateLoader {
+    public StringTemplateLoader() {}
+    public void putTemplate(java.lang.String name, java.lang.String templateContent){}
+    public void putTemplate(java.lang.String name, java.lang.String templateContent, long lastModified){}
+}

java/ql/test/experimental/stubs/apache-freemarker-2.3.31/freemarker/template/Configuration.java

@@ -0,0 +1,9 @@
+package freemarker.template;
+
+import freemarker.template.Template;
+
+public class Configuration implements ParserConfiguration {
+
+  public Configuration() {}
+  public Template getTemplate(java.lang.String name){return null;}
+}

java/ql/test/experimental/stubs/apache-freemarker-2.3.31/freemarker/template/ObjectWrapper.java

@@ -0,0 +1,3 @@
+package freemarker.template;
+
+public interface ObjectWrapper {}

java/ql/test/experimental/stubs/apache-freemarker-2.3.31/freemarker/template/ParserConfiguration.java

@@ -0,0 +1,3 @@
+package freemarker.template;
+
+public interface ParserConfiguration {}

java/ql/test/experimental/stubs/apache-freemarker-2.3.31/freemarker/template/Template.java

@@ -0,0 +1,55 @@
+package freemarker.template;
+
+import java.io.Reader;
+import java.lang.String;
+
+public class Template {
+
+  public Template(String name, Reader reader) {
+  }
+
+  public Template(String name, Reader reader, Configuration cfg) {
+  }
+
+  public Template(String name, Reader reader, Configuration cfg, String encoding) {
+  }
+
+  public Template(String name, String sourceCode, Configuration cfg) {
+  }
+
+  public Template(String name, String sourceName, Reader reader, Configuration cfg) {
+  }
+
+  public Template(
+      String name,
+      String sourceName,
+      Reader reader,
+      Configuration cfg,
+      ParserConfiguration customParserConfiguration,
+      String encoding) {
+  }
+
+  public Template(
+      String name,
+      String sourceName,
+      Reader reader,
+      Configuration cfg,
+      String encoding) {
+  }
+
+  public void process(java.lang.Object dataModel, java.io.Writer out) {
+  }
+
+  public void process(
+      java.lang.Object dataModel,
+      java.io.Writer out,
+      ObjectWrapper wrapper) {
+  }
+
+  public void process(
+      java.lang.Object dataModel,
+      java.io.Writer out,
+      ObjectWrapper wrapper,
+      TemplateNodeModel rootNode) {
+  }
+}

java/ql/test/experimental/stubs/apache-freemarker-2.3.31/freemarker/template/TemplateNodeModel.java

@@ -0,0 +1,3 @@
+package freemarker.template;
+
+public interface TemplateNodeModel {}

java/ql/test/experimental/stubs/apache-velocity-2.3/org/apache/velocity/Template.java

@@ -0,0 +1,13 @@
+package org.apache.velocity;
+
+import org.apache.velocity.context.Context;
+import java.io.Writer;
+import java.util.List;
+
+public class Template {
+    public void merge(Context context, Writer writer) {
+    }
+
+    public void merge(Context context, Writer writer, List<String> macroLibraries) {
+    }
+}

java/ql/test/experimental/stubs/apache-velocity-2.3/org/apache/velocity/VelocityContext.java

@@ -0,0 +1,10 @@
+package org.apache.velocity;
+
+import org.apache.velocity.context.AbstractContext;
+import org.apache.velocity.context.Context;
+import java.io.Writer;
+
+public class VelocityContext extends AbstractContext implements Context {
+    public VelocityContext() {
+    }
+}

java/ql/test/experimental/stubs/apache-velocity-2.3/org/apache/velocity/VelocityEngine.java

@@ -0,0 +1,20 @@
+package org.apache.velocity;
+
+import org.apache.velocity.context;
+import java.io.Writer;
+import java.lang.String;
+import java.io.Reader;
+
+public class VelocityEngine {
+    public static boolean evaluate(Context context, Writer out, String logTag, String instring) {
+        return true;
+    }
+
+    public static boolean evaluate(Context context, Writer writer, String logTag, Reader reader) {
+        return true;
+    }
+
+    public static boolean mergeTemplate(String templateName, String encoding, Context context, Writer writer) {
+        return true;
+    }
+}

java/ql/test/experimental/stubs/apache-velocity-2.3/org/apache/velocity/app/Velocity.java

@@ -0,0 +1,15 @@
+package org.apache.velocity.app;
+
+import org.apache.velocity.context.Context;
+import java.io.Reader;
+import java.io.Writer;
+
+public class Velocity {
+    public static boolean evaluate(Context context, Writer out, String logTag, String instring) {
+        return true;
+    }
+
+    public static boolean evaluate(Context context, Writer writer, String logTag, Reader reader) {
+        return true;
+    }
+}

java/ql/test/experimental/stubs/apache-velocity-2.3/org/apache/velocity/app/VelocityEngine.java

@@ -0,0 +1,20 @@
+package org.apache.velocity.app;
+
+import org.apache.velocity.context.Context;
+import java.io.Writer;
+import java.lang.String;
+import java.io.Reader;
+
+public class VelocityEngine {
+    public static boolean evaluate(Context context, Writer out, String logTag, String instring) {
+        return true;
+    }
+
+    public static boolean evaluate(Context context, Writer writer, String logTag, Reader reader) {
+        return true;
+    }
+
+    public static boolean mergeTemplate(String templateName, String encoding, Context context, Writer writer) {
+        return true;
+    }
+}

java/ql/test/experimental/stubs/apache-velocity-2.3/org/apache/velocity/context/AbstractContext.java

@@ -0,0 +1,14 @@
+package org.apache.velocity.context;
+
+import org.apache.velocity.context.Context;
+import java.io.Writer;
+
+public class AbstractContext implements Context {
+    public Object put(String key, Object value) {
+        return null;
+    }
+
+    public Object internalPut(String key, Object value) {
+        return null;
+    }
+}

java/ql/test/experimental/stubs/apache-velocity-2.3/org/apache/velocity/context/Context.java

@@ -0,0 +1,7 @@
+package org.apache.velocity.context;
+
+public interface Context {
+    public Object put(String key, Object value);
+
+    public Object internalPut(String key, Object value);
+}

java/ql/test/experimental/stubs/apache-velocity-2.3/org/apache/velocity/runtime/RuntimeServices.java

@@ -0,0 +1,25 @@
+package org.apache.velocity.runtime;
+
+import org.apache.velocity.runtime.parser.node.*;
+
+import org.apache.velocity.context.Context;
+import java.io.Reader;
+import java.io.Writer;
+import org.apache.velocity.Template;
+
+public class RuntimeServices {
+    public RuntimeServices() {
+    }
+
+    public static SimpleNode parse(Reader reader, Template template) {
+        return null;
+    }
+
+    public static boolean evaluate(Context context, Writer out, String logTag, String instring) {
+        return true;
+    }
+
+    public static boolean evaluate(Context context, Writer writer, String logTag, Reader reader) {
+        return true;
+    }
+}

java/ql/test/experimental/stubs/apache-velocity-2.3/org/apache/velocity/runtime/RuntimeSingleton.java

@@ -0,0 +1,8 @@
+package org.apache.velocity.runtime;
+
+import org.apache.velocity.runtime.parser.node.*;
+
+public class RuntimeSingleton {
+    public static SimpleNode parse(Reader reader, Template template) {
+    }
+}

java/ql/test/experimental/stubs/apache-velocity-2.3/org/apache/velocity/runtime/parser/node/SimpleNode.java

@@ -0,0 +1,5 @@
+package org.apache.velocity.runtime.parser.node;
+
+public class SimpleNode {
+
+}

java/ql/test/experimental/stubs/apache-velocity-2.3/org/apache/velocity/runtime/resource/util/StringResourceRepository.java

@@ -0,0 +1,7 @@
+package org.apache.velocity.runtime.resource.util;
+
+public interface StringResourceRepository {
+    public void putStringResource(String name, String body);
+
+    public void putStringResource(String name, String body, String encoding);
+}

java/ql/test/experimental/stubs/apache-velocity-2.3/org/apache/velocity/runtime/resource/util/StringResourceRepositoryImpl.java

@@ -0,0 +1,9 @@
+package org.apache.velocity.runtime.resource.util;
+
+public class StringResourceRepositoryImpl implements StringResourceRepository {
+    public void putStringResource(String name, String body) {
+    }
+
+    public void putStringResource(String name, String body, String encoding) {
+    }
+}

java/ql/test/experimental/stubs/jinjava-2.6.0/com/hubspot/jinjava/Jinjava.java

@@ -0,0 +1,24 @@
+package com.hubspot.jinjava;
+
+import com.hubspot.jinjava.JinjavaConfig;
+import com.hubspot.jinjava.interpret.RenderResult;
+
+import java.lang.String;
+import java.util.Map;
+
+public class Jinjava {
+    public Jinjava() {
+    }
+
+    public String render(String template, Map<String, ?> bindings) {
+        return "test";
+    };
+
+    public RenderResult renderForResult(String template, Map<String, ?> bindings) {
+        return new RenderResult("result");
+    }
+
+    public RenderResult renderForResult(String template, Map<String, ?> bindings, JinjavaConfig renderConfig) {
+        return new RenderResult("result");
+    }
+}

java/ql/test/experimental/stubs/jinjava-2.6.0/com/hubspot/jinjava/JinjavaConfig.java

@@ -0,0 +1,5 @@
+package com.hubspot.jinjava;
+
+public class JinjavaConfig {
+
+}

java/ql/test/experimental/stubs/jinjava-2.6.0/com/hubspot/jinjava/interpret/RenderResult.java

@@ -0,0 +1,6 @@
+package com.hubspot.jinjava.interpret;
+
+public class RenderResult {
+    public RenderResult(String result) {
+    }
+}

java/ql/test/experimental/stubs/pebble-3.1.5/com/mitchellbosecke/pebble/PebbleEngine.java

@@ -0,0 +1,27 @@
+package com.mitchellbosecke.pebble;
+
+import com.mitchellbosecke.pebble.template.*;
+
+public class PebbleEngine {
+    public static class Builder {
+        public Builder() {
+        };
+
+        public PebbleEngine build() {
+            return new PebbleEngine();
+        }
+    };
+
+    PebbleEngine() {
+    }
+
+    public PebbleTemplate getLiteralTemplate(String templateName) {
+        return new PebbleTemplate() {
+        };
+    }
+
+    public PebbleTemplate getTemplate(String templateName) {
+        return new PebbleTemplate() {
+        };
+    }
+}

java/ql/test/experimental/stubs/pebble-3.1.5/com/mitchellbosecke/pebble/template/PebbleTemplate.java

@@ -0,0 +1,3 @@
+package com.mitchellbosecke.pebble.template;
+
+public interface PebbleTemplate {}

java/ql/test/experimental/stubs/thymeleaf-3.0.14/org/thymeleaf/ITemplateEngine.java

@@ -0,0 +1,28 @@
+package org.thymeleaf;
+
+import java.io.Writer;
+import java.lang.String;
+import java.util.Set;
+import org.thymeleaf.context.IContext;   
+import org.thymeleaf.*;   
+
+public interface ITemplateEngine {
+
+    public String process(String template, Set<String> templateSelectors, IContext context);
+
+    public void process(String template, Set<String> templateSelectors, IContext context, Writer writer);
+
+    public String process(String template, IContext context);
+
+    public void process(String template, IContext context, Writer writer);
+
+    public String process(TemplateSpec templateSpec, IContext context);
+
+    public void process(TemplateSpec templateSpec, IContext context, Writer writer);
+
+    public IThrottledTemplateProcessor processThrottled(String template, Set<String> templateSelectors, IContext context);
+
+    public IThrottledTemplateProcessor processThrottled(String template, IContext context);
+
+    public IThrottledTemplateProcessor processThrottled(TemplateSpec templateSpec, IContext context);
+}

java/ql/test/experimental/stubs/thymeleaf-3.0.14/org/thymeleaf/IThrottledTemplateProcessor.java

@@ -0,0 +1,5 @@
+package org.thymeleaf;
+
+public interface IThrottledTemplateProcessor {
+    
+}

java/ql/test/experimental/stubs/thymeleaf-3.0.14/org/thymeleaf/TemplateEngine.java

@@ -0,0 +1,51 @@
+package org.thymeleaf;
+
+import java.io.Writer;
+import java.lang.String;
+import java.util.Set;
+import org.thymeleaf.context.IContext;
+import org.thymeleaf.TemplateSpec;
+import org.thymeleaf.ITemplateEngine;
+import org.thymeleaf.IThrottledTemplateProcessor;
+
+public class TemplateEngine implements ITemplateEngine {
+
+    public String process(String template, Set<String> templateSelectors, IContext context) {
+        return "";
+    }
+
+    public void process(String template, Set<String> templateSelectors, IContext context, Writer writer) {
+    }
+
+    public String process(String template, IContext context) {
+        return "";
+    }
+
+    public void process(String template, IContext context, Writer writer) {
+    }
+
+    public String process(TemplateSpec templateSpec, IContext context) {
+        return "";
+    }
+
+    public void process(TemplateSpec templateSpec, IContext context, Writer writer) {
+    }
+
+    public IThrottledTemplateProcessor processThrottled(String template, Set<String> templateSelectors,
+            IContext context) {
+        return new IThrottledTemplateProcessor() {
+        };
+    }
+
+    public IThrottledTemplateProcessor processThrottled(String template, IContext context) {
+        return new IThrottledTemplateProcessor() {
+        };
+
+    }
+
+    public IThrottledTemplateProcessor processThrottled(TemplateSpec templateSpec, IContext context) {
+        return new IThrottledTemplateProcessor() {
+        };
+
+    }
+}

java/ql/test/experimental/stubs/thymeleaf-3.0.14/org/thymeleaf/TemplateSpec.java

@@ -0,0 +1,5 @@
+package org.thymeleaf;
+
+public class TemplateSpec {
+    
+}

java/ql/test/experimental/stubs/thymeleaf-3.0.14/org/thymeleaf/context/Context.java

@@ -0,0 +1,7 @@
+package org.thymeleaf.context;
+
+import org.thymeleaf.context.IContext;
+
+public class Context implements IContext {
+
+}

java/ql/test/experimental/stubs/thymeleaf-3.0.14/org/thymeleaf/context/IContext.java

@@ -0,0 +1,5 @@
+package org.thymeleaf.context;
+
+public interface IContext {
+
+}