Tainting the velocity context isn't exploitable

2026-05-05 13:45:19 +02:00 · 2022-09-12 11:38:29 +02:00
parent d748fb5648
commit 409a123490
4 changed files with 23 additions and 51 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -117,7 +117,6 @@ private module Frameworks {
  private import semmle.code.java.frameworks.Retrofit
  private import semmle.code.java.frameworks.Stream
  private import semmle.code.java.frameworks.Strings
-  private import semmle.code.java.frameworks.Velocity
  private import semmle.code.java.frameworks.ratpack.Ratpack
  private import semmle.code.java.frameworks.ratpack.RatpackExec
  private import semmle.code.java.frameworks.spring.SpringCache
--- a/java/ql/lib/semmle/code/java/frameworks/Velocity.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Velocity.qll
@@ -1,14 +0,0 @@
-/** Definitions related to the Apache Velocity templating library. */
-
-import java
-private import semmle.code.java.dataflow.ExternalFlow
-
-private class VelocitySummaryModels extends SummaryModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "org.apache.velocity.context;AbstractContext;true;put;;;Argument[1];Argument[-1];taint;manual",
-        "org.apache.velocity.context;AbstractContext;true;internalPut;;;Argument[1];Argument[-1];taint;manual",
-      ]
-  }
-}
--- a/java/ql/lib/semmle/code/java/security/TemplateInjection.qll
+++ b/java/ql/lib/semmle/code/java/security/TemplateInjection.qll
@@ -89,18 +89,14 @@ private class TemplateInjectionSinkModels extends SinkModelCsv {
        "com.hubspot.jinjava;Jinjava;true;render;;;Argument[0];ssti;manual",
        "org.thymeleaf;ITemplateEngine;true;process;;;Argument[0];ssti;manual",
        "org.thymeleaf;ITemplateEngine;true;processThrottled;;;Argument[0];ssti;manual",
-        "org.apache.velocity.app;Velocity;true;evaluate;;;Argument[0];ssti;manual",
        "org.apache.velocity.app;Velocity;true;evaluate;;;Argument[3];ssti;manual",
        "org.apache.velocity.app;Velocity;true;mergeTemplate;;;Argument[2];ssti;manual",
-        "org.apache.velocity.app;VelocityEngine;true;evaluate;;;Argument[0];ssti;manual",
        "org.apache.velocity.app;VelocityEngine;true;evaluate;;;Argument[3];ssti;manual",
        "org.apache.velocity.app;VelocityEngine;true;mergeTemplate;;;Argument[2];ssti;manual",
        "org.apache.velocity.runtime.resource.util;StringResourceRepository;true;putStringResource;;;Argument[1];ssti;manual",
-        "org.apache.velocity.runtime;RuntimeServices;true;evaluate;;;Argument[0];ssti;manual",
        "org.apache.velocity.runtime;RuntimeServices;true;evaluate;;;Argument[3];ssti;manual",
        "org.apache.velocity.runtime;RuntimeServices;true;parse;;;Argument[0];ssti;manual",
-        "org.apache.velocity.runtime;RuntimeSingleton;true;parse;;;Argument[0];ssti;manual",
-        "org.apache.velocity;Template;true;merge;;;Argument[0];ssti;manual"
+        "org.apache.velocity.runtime;RuntimeSingleton;true;parse;;;Argument[0];ssti;manual"
      ]
  }
 }