hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Tainting the freemarker dataModel isn't exploitable

Browse Source
This commit is contained in:
Tony Torralba
2022-09-12 14:22:06 +02:00
parent dd6257c757
commit 79a32f1a3e
2 changed files with 3 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
java/ql/lib/semmle/code/java/security/TemplateInjection.qll
View File

@@ -74,7 +74,6 @@ private class TemplateInjectionSinkModels extends SinkModelCsv {
override predicate row(string row) {
row =
[
"freemarker.template;Template;true;process;;;Argument[0];ssti;manual",
"freemarker.template;Template;true;Template;(String,Reader);;Argument[1];ssti;manual",
"freemarker.template;Template;true;Template;(String,Reader,Configuration);;Argument[1];ssti;manual",
"freemarker.template;Template;true;Template;(String,Reader,Configuration,String);;Argument[1];ssti;manual",

6
java/ql/test/query-tests/security/CWE-094/FreemarkerSSTI.java
View File

@@ -104,14 +104,14 @@ public class FreemarkerSSTI {
stringLoader.putTemplate("myTemplate", code, 0); // $hasTemplateInjection
}
@GetMapping(value = "bad10")
public void bad10(HttpServletRequest request) {
@GetMapping(value = "good1")
public void good1(HttpServletRequest request) {
HashMap<Object, Object> root = new HashMap();
String code = request.getParameter("code");
root.put("code", code);
Configuration cfg = new Configuration();
Template temp = cfg.getTemplate("test.ftlh");
OutputStreamWriter out = new OutputStreamWriter(System.out);
temp.process(root, out); // $hasTemplateInjection
temp.process(root, out); // Safe
}
}