Merge pull request #13230 from atorralba/atorralba/java/groove-template-engine-sink

Java: Add TemplateEngine.createTemplate as a Groovy injection sink

java/ql/lib/ext/groovy.lang.model.yml

@@ -29,3 +29,4 @@ extensions:
       - ["groovy.lang", "GroovyShell", False, "run", "(String,String,String[])", "", "Argument[0]", "groovy", "manual"]
       - ["groovy.lang", "GroovyShell", False, "run", "(URI,List)", "", "Argument[0]", "groovy", "manual"]
       - ["groovy.lang", "GroovyShell", False, "run", "(URI,String[])", "", "Argument[0]", "groovy", "manual"]
+      - ["groovy.text", "TemplateEngine", True, "createTemplate", "", "", "Argument[0]", "groovy", "manual"]

java/ql/src/change-notes/2023-05-19-groovy-injection-sink.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `java/groovy-injection` now recognizes `groovy.text.TemplateEngine.createTemplate` as a sink.

java/ql/test/query-tests/security/CWE-094/TemplateEngineTest.java

@@ -0,0 +1,30 @@
+import java.io.File;
+import java.io.IOException;
+import java.io.Reader;
+import java.net.URL;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import groovy.text.TemplateEngine;
+
+public class TemplateEngineTest extends HttpServlet {
+
+    private Object source(HttpServletRequest request) {
+        return request.getParameter("script");
+    }
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+            Object script = source(request);
+            TemplateEngine engine = null;
+            engine.createTemplate(request.getParameter("script")); // $ hasGroovyInjection
+            engine.createTemplate((File) script); // $ hasGroovyInjection
+            engine.createTemplate((Reader) script); // $ hasGroovyInjection
+            engine.createTemplate((URL) script); // $ hasGroovyInjection
+        } catch (Exception e) {
+        }
+
+    }
+}

java/ql/test/stubs/groovy-all-3.0.7/groovy/lang/Writable.java

@@ -0,0 +1,10 @@
+// Generated automatically from groovy.lang.Writable for testing purposes
+
+package groovy.lang;
+
+import java.io.Writer;
+
+public interface Writable
+{
+    Writer writeTo(Writer p0);
+}

java/ql/test/stubs/groovy-all-3.0.7/groovy/text/Template.java

@@ -0,0 +1,12 @@
+// Generated automatically from groovy.text.Template for testing purposes
+
+package groovy.text;
+
+import groovy.lang.Writable;
+import java.util.Map;
+
+public interface Template
+{
+    Writable make();
+    Writable make(Map p0);
+}

java/ql/test/stubs/groovy-all-3.0.7/groovy/text/TemplateEngine.java

@@ -0,0 +1,17 @@
+// Generated automatically from groovy.text.TemplateEngine for testing purposes
+
+package groovy.text;
+
+import groovy.text.Template;
+import java.io.File;
+import java.io.Reader;
+import java.net.URL;
+
+abstract public class TemplateEngine
+{
+    public Template createTemplate(File p0){ return null; }
+    public Template createTemplate(String p0){ return null; }
+    public Template createTemplate(URL p0){ return null; }
+    public TemplateEngine(){}
+    public abstract Template createTemplate(Reader p0);
+}