hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: convert TemplateInjection test to .qlref

Browse Source
This commit is contained in:
Nora Dimitrijević
2025-06-23 12:34:18 +02:00
parent b8c7bd29c3
commit c77875d834
10 changed files with 225 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
java/ql/test/query-tests/security/CWE-094/FreemarkerSSTI.java → java/ql/test/query-tests/security/CWE-094/TemplateInjection/FreemarkerSSTI.java
View File

@@ -20,88 +20,88 @@ public class FreemarkerSSTI {
@GetMapping(value = "bad1")
public void bad1(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code");
String code = request.getParameter("code"); // $ Source
Reader reader = new StringReader(code);
Template t = new Template(name, reader); // $hasTemplateInjection
Template t = new Template(name, reader); // $ Alert
}
@GetMapping(value = "bad2")
public void bad2(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code");
String code = request.getParameter("code"); // $ Source
Reader reader = new StringReader(code);
Configuration cfg = new Configuration();
Template t = new Template(name, reader, cfg); // $hasTemplateInjection
Template t = new Template(name, reader, cfg); // $ Alert
}
@GetMapping(value = "bad3")
public void bad3(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code");
String code = request.getParameter("code"); // $ Source
Reader reader = new StringReader(code);
Configuration cfg = new Configuration();
Template t = new Template(name, reader, cfg, "UTF-8"); // $hasTemplateInjection
Template t = new Template(name, reader, cfg, "UTF-8"); // $ Alert
}
@GetMapping(value = "bad4")
public void bad4(HttpServletRequest request) {
String name = "ttemplate";
String sourceCode = request.getParameter("sourceCode");
String sourceCode = request.getParameter("sourceCode"); // $ Source
Configuration cfg = new Configuration();
Template t = new Template(name, sourceCode, cfg); // $hasTemplateInjection
Template t = new Template(name, sourceCode, cfg); // $ Alert
}
@GetMapping(value = "bad5")
public void bad5(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code");
String code = request.getParameter("code"); // $ Source
Configuration cfg = new Configuration();
Reader reader = new StringReader(code);
Template t = new Template(name, sourceName, reader, cfg); // $hasTemplateInjection
Template t = new Template(name, sourceName, reader, cfg); // $ Alert
}
@GetMapping(value = "bad6")
public void bad6(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code");
String code = request.getParameter("code"); // $ Source
Configuration cfg = new Configuration();
ParserConfiguration customParserConfiguration = new Configuration();
Reader reader = new StringReader(code);
Template t =
new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8"); // $hasTemplateInjection
new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8"); // $ Alert
}
@GetMapping(value = "bad7")
public void bad7(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code");
String code = request.getParameter("code"); // $ Source
Configuration cfg = new Configuration();
ParserConfiguration customParserConfiguration = new Configuration();
Reader reader = new StringReader(code);
Template t = new Template(name, sourceName, reader, cfg, "UTF-8"); // $hasTemplateInjection
Template t = new Template(name, sourceName, reader, cfg, "UTF-8"); // $ Alert
}
@GetMapping(value = "bad8")
public void bad8(HttpServletRequest request) {
String code = request.getParameter("code");
String code = request.getParameter("code"); // $ Source
StringTemplateLoader stringLoader = new StringTemplateLoader();
stringLoader.putTemplate("myTemplate", code); // $hasTemplateInjection
stringLoader.putTemplate("myTemplate", code); // $ Alert
}
@GetMapping(value = "bad9")
public void bad9(HttpServletRequest request) {
String code = request.getParameter("code");
String code = request.getParameter("code"); // $ Source
StringTemplateLoader stringLoader = new StringTemplateLoader();
stringLoader.putTemplate("myTemplate", code, 0); // $hasTemplateInjection
stringLoader.putTemplate("myTemplate", code, 0); // $ Alert
}
@GetMapping(value = "good1")

12
java/ql/test/query-tests/security/CWE-094/JinJavaSSTI.java → java/ql/test/query-tests/security/CWE-094/TemplateInjection/JinJavaSSTI.java
View File

@@ -18,27 +18,27 @@ public class JinJavaSSTI {
@GetMapping(value = "bad1")
public void bad1(HttpServletRequest request) {
String template = request.getParameter("template");
String template = request.getParameter("template"); // $ Source
Jinjava jinjava = new Jinjava();
Map<String, Object> context = new HashMap<>();
String renderedTemplate = jinjava.render(template, context); // $hasTemplateInjection
String renderedTemplate = jinjava.render(template, context); // $ Alert
}
@GetMapping(value = "bad2")
public void bad2(HttpServletRequest request) {
String template = request.getParameter("template");
String template = request.getParameter("template"); // $ Source
Jinjava jinjava = new Jinjava();
Map<String, Object> bindings = new HashMap<>();
RenderResult renderResult = jinjava.renderForResult(template, bindings); // $hasTemplateInjection
RenderResult renderResult = jinjava.renderForResult(template, bindings); // $ Alert
}
@GetMapping(value = "bad3")
public void bad3(HttpServletRequest request) {
String template = request.getParameter("template");
String template = request.getParameter("template"); // $ Source
Jinjava jinjava = new Jinjava();
Map<String, Object> bindings = new HashMap<>();
JinjavaConfig renderConfig = new JinjavaConfig();
RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig); // $hasTemplateInjection
RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig); // $ Alert
}
}

8
java/ql/test/query-tests/security/CWE-094/PebbleSSTI.java → java/ql/test/query-tests/security/CWE-094/TemplateInjection/PebbleSSTI.java
View File

@@ -15,15 +15,15 @@ public class PebbleSSTI {
@GetMapping(value = "bad1")
public void bad1(HttpServletRequest request) {
String templateName = request.getParameter("templateName");
String templateName = request.getParameter("templateName"); // $ Source
PebbleEngine engine = new PebbleEngine.Builder().build();
PebbleTemplate compiledTemplate = engine.getTemplate(templateName); // $hasTemplateInjection
PebbleTemplate compiledTemplate = engine.getTemplate(templateName); // $ Alert
}
@GetMapping(value = "bad2")
public void bad2(HttpServletRequest request) {
String templateName = request.getParameter("templateName");
String templateName = request.getParameter("templateName"); // $ Source
PebbleEngine engine = new PebbleEngine.Builder().build();
PebbleTemplate compiledTemplate = engine.getLiteralTemplate(templateName); // $hasTemplateInjection
PebbleTemplate compiledTemplate = engine.getLiteralTemplate(templateName); // $ Alert
}
}

171
java/ql/test/query-tests/security/CWE-094/TemplateInjection/TemplateInjectionTest.expected Normal file
View File

@@ -0,0 +1,171 @@
#select
| FreemarkerSSTI.java:26:35:26:40 | reader | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | FreemarkerSSTI.java:26:35:26:40 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) | user-provided value |
| FreemarkerSSTI.java:36:35:36:40 | reader | FreemarkerSSTI.java:32:17:32:44 | getParameter(...) : String | FreemarkerSSTI.java:36:35:36:40 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:32:17:32:44 | getParameter(...) | user-provided value |
| FreemarkerSSTI.java:46:35:46:40 | reader | FreemarkerSSTI.java:42:17:42:44 | getParameter(...) : String | FreemarkerSSTI.java:46:35:46:40 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:42:17:42:44 | getParameter(...) | user-provided value |
| FreemarkerSSTI.java:55:35:55:44 | sourceCode | FreemarkerSSTI.java:52:23:52:56 | getParameter(...) : String | FreemarkerSSTI.java:55:35:55:44 | sourceCode | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:52:23:52:56 | getParameter(...) | user-provided value |
| FreemarkerSSTI.java:65:47:65:52 | reader | FreemarkerSSTI.java:61:17:61:44 | getParameter(...) : String | FreemarkerSSTI.java:65:47:65:52 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:61:17:61:44 | getParameter(...) | user-provided value |
| FreemarkerSSTI.java:77:36:77:41 | reader | FreemarkerSSTI.java:71:17:71:44 | getParameter(...) : String | FreemarkerSSTI.java:77:36:77:41 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:71:17:71:44 | getParameter(...) | user-provided value |
| FreemarkerSSTI.java:88:47:88:52 | reader | FreemarkerSSTI.java:83:17:83:44 | getParameter(...) : String | FreemarkerSSTI.java:88:47:88:52 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:83:17:83:44 | getParameter(...) | user-provided value |
| FreemarkerSSTI.java:96:42:96:45 | code | FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | FreemarkerSSTI.java:96:42:96:45 | code | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:93:17:93:44 | getParameter(...) | user-provided value |
| FreemarkerSSTI.java:104:42:104:45 | code | FreemarkerSSTI.java:101:17:101:44 | getParameter(...) : String | FreemarkerSSTI.java:104:42:104:45 | code | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:101:17:101:44 | getParameter(...) | user-provided value |
| JinJavaSSTI.java:24:44:24:51 | template | JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | JinJavaSSTI.java:24:44:24:51 | template | Template, which may contain code, depends on a $@. | JinJavaSSTI.java:21:21:21:52 | getParameter(...) | user-provided value |
| JinJavaSSTI.java:32:55:32:62 | template | JinJavaSSTI.java:29:21:29:52 | getParameter(...) : String | JinJavaSSTI.java:32:55:32:62 | template | Template, which may contain code, depends on a $@. | JinJavaSSTI.java:29:21:29:52 | getParameter(...) | user-provided value |
| JinJavaSSTI.java:42:55:42:62 | template | JinJavaSSTI.java:37:21:37:52 | getParameter(...) : String | JinJavaSSTI.java:42:55:42:62 | template | Template, which may contain code, depends on a $@. | JinJavaSSTI.java:37:21:37:52 | getParameter(...) | user-provided value |
| PebbleSSTI.java:20:56:20:67 | templateName | PebbleSSTI.java:18:25:18:60 | getParameter(...) : String | PebbleSSTI.java:20:56:20:67 | templateName | Template, which may contain code, depends on a $@. | PebbleSSTI.java:18:25:18:60 | getParameter(...) | user-provided value |
| PebbleSSTI.java:27:63:27:74 | templateName | PebbleSSTI.java:25:25:25:60 | getParameter(...) : String | PebbleSSTI.java:27:63:27:74 | templateName | Template, which may contain code, depends on a $@. | PebbleSSTI.java:25:25:25:60 | getParameter(...) | user-provided value |
| ThymeleafSSTI.java:24:27:24:30 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:24:27:24:30 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
| ThymeleafSSTI.java:25:27:25:30 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:25:27:25:30 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
| ThymeleafSSTI.java:26:27:26:30 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:26:27:26:30 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
| ThymeleafSSTI.java:27:27:27:30 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:27:27:27:30 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
| ThymeleafSSTI.java:28:36:28:39 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:28:36:28:39 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
| ThymeleafSSTI.java:29:36:29:39 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:29:36:29:39 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
| ThymeleafSSTI.java:32:27:32:30 | spec | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:32:27:32:30 | spec | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
| ThymeleafSSTI.java:33:27:33:30 | spec | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:33:27:33:30 | spec | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
| ThymeleafSSTI.java:34:36:34:39 | spec | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:34:36:34:39 | spec | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
| VelocitySSTI.java:37:45:37:48 | code | VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | VelocitySSTI.java:37:45:37:48 | code | Template, which may contain code, depends on a $@. | VelocitySSTI.java:31:17:31:44 | getParameter(...) | user-provided value |
| VelocitySSTI.java:51:45:51:50 | reader | VelocitySSTI.java:43:17:43:44 | getParameter(...) : String | VelocitySSTI.java:51:45:51:50 | reader | Template, which may contain code, depends on a $@. | VelocitySSTI.java:43:17:43:44 | getParameter(...) | user-provided value |
| VelocitySSTI.java:61:25:61:30 | reader | VelocitySSTI.java:57:17:57:44 | getParameter(...) : String | VelocitySSTI.java:61:25:61:30 | reader | Template, which may contain code, depends on a $@. | VelocitySSTI.java:57:17:57:44 | getParameter(...) | user-provided value |
| VelocitySSTI.java:93:37:93:40 | code | VelocitySSTI.java:81:17:81:44 | getParameter(...) : String | VelocitySSTI.java:93:37:93:40 | code | Template, which may contain code, depends on a $@. | VelocitySSTI.java:81:17:81:44 | getParameter(...) | user-provided value |
| VelocitySSTI.java:94:37:94:58 | new StringReader(...) | VelocitySSTI.java:81:17:81:44 | getParameter(...) : String | VelocitySSTI.java:94:37:94:58 | new StringReader(...) | Template, which may contain code, depends on a $@. | VelocitySSTI.java:81:17:81:44 | getParameter(...) | user-provided value |
| VelocitySSTI.java:117:37:117:40 | code | VelocitySSTI.java:114:17:114:44 | getParameter(...) : String | VelocitySSTI.java:117:37:117:40 | code | Template, which may contain code, depends on a $@. | VelocitySSTI.java:114:17:114:44 | getParameter(...) | user-provided value |
edges
| FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | FreemarkerSSTI.java:24:36:24:39 | code : String | provenance | Src:MaD:19 |
| FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:26:35:26:40 | reader | provenance | Sink:MaD:6 |
| FreemarkerSSTI.java:24:36:24:39 | code : String | FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | provenance | MaD:20 |
| FreemarkerSSTI.java:32:17:32:44 | getParameter(...) : String | FreemarkerSSTI.java:33:36:33:39 | code : String | provenance | Src:MaD:19 |
| FreemarkerSSTI.java:33:19:33:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:36:35:36:40 | reader | provenance | Sink:MaD:7 |
| FreemarkerSSTI.java:33:36:33:39 | code : String | FreemarkerSSTI.java:33:19:33:40 | new StringReader(...) : StringReader | provenance | MaD:20 |
| FreemarkerSSTI.java:42:17:42:44 | getParameter(...) : String | FreemarkerSSTI.java:43:36:43:39 | code : String | provenance | Src:MaD:19 |
| FreemarkerSSTI.java:43:19:43:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:46:35:46:40 | reader | provenance | Sink:MaD:8 |
| FreemarkerSSTI.java:43:36:43:39 | code : String | FreemarkerSSTI.java:43:19:43:40 | new StringReader(...) : StringReader | provenance | MaD:20 |
| FreemarkerSSTI.java:52:23:52:56 | getParameter(...) : String | FreemarkerSSTI.java:55:35:55:44 | sourceCode | provenance | Src:MaD:19 Sink:MaD:9 |
| FreemarkerSSTI.java:61:17:61:44 | getParameter(...) : String | FreemarkerSSTI.java:63:36:63:39 | code : String | provenance | Src:MaD:19 |
| FreemarkerSSTI.java:63:19:63:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:65:47:65:52 | reader | provenance | Sink:MaD:10 |
| FreemarkerSSTI.java:63:36:63:39 | code : String | FreemarkerSSTI.java:63:19:63:40 | new StringReader(...) : StringReader | provenance | MaD:20 |
| FreemarkerSSTI.java:71:17:71:44 | getParameter(...) : String | FreemarkerSSTI.java:74:36:74:39 | code : String | provenance | Src:MaD:19 |
| FreemarkerSSTI.java:74:19:74:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:77:36:77:41 | reader | provenance | Sink:MaD:11 |
| FreemarkerSSTI.java:74:36:74:39 | code : String | FreemarkerSSTI.java:74:19:74:40 | new StringReader(...) : StringReader | provenance | MaD:20 |
| FreemarkerSSTI.java:83:17:83:44 | getParameter(...) : String | FreemarkerSSTI.java:86:36:86:39 | code : String | provenance | Src:MaD:19 |
| FreemarkerSSTI.java:86:19:86:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:88:47:88:52 | reader | provenance | Sink:MaD:12 |
| FreemarkerSSTI.java:86:36:86:39 | code : String | FreemarkerSSTI.java:86:19:86:40 | new StringReader(...) : StringReader | provenance | MaD:20 |
| FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | FreemarkerSSTI.java:96:42:96:45 | code | provenance | Src:MaD:19 Sink:MaD:5 |
| FreemarkerSSTI.java:101:17:101:44 | getParameter(...) : String | FreemarkerSSTI.java:104:42:104:45 | code | provenance | Src:MaD:19 Sink:MaD:5 |
| JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | JinJavaSSTI.java:24:44:24:51 | template | provenance | Src:MaD:19 Sink:MaD:1 |
| JinJavaSSTI.java:29:21:29:52 | getParameter(...) : String | JinJavaSSTI.java:32:55:32:62 | template | provenance | Src:MaD:19 Sink:MaD:2 |
| JinJavaSSTI.java:37:21:37:52 | getParameter(...) : String | JinJavaSSTI.java:42:55:42:62 | template | provenance | Src:MaD:19 Sink:MaD:2 |
| PebbleSSTI.java:18:25:18:60 | getParameter(...) : String | PebbleSSTI.java:20:56:20:67 | templateName | provenance | Src:MaD:19 Sink:MaD:4 |
| PebbleSSTI.java:25:25:25:60 | getParameter(...) : String | PebbleSSTI.java:27:63:27:74 | templateName | provenance | Src:MaD:19 Sink:MaD:3 |
| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:24:27:24:30 | code | provenance | Src:MaD:19 Sink:MaD:17 |
| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:25:27:25:30 | code | provenance | Src:MaD:19 Sink:MaD:17 |
| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:26:27:26:30 | code | provenance | Src:MaD:19 Sink:MaD:17 |
| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:27:27:27:30 | code | provenance | Src:MaD:19 Sink:MaD:17 |
| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:28:36:28:39 | code | provenance | Src:MaD:19 Sink:MaD:18 |
| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:29:36:29:39 | code | provenance | Src:MaD:19 Sink:MaD:18 |
| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:31:41:31:44 | code : String | provenance | Src:MaD:19 |
| ThymeleafSSTI.java:31:24:31:49 | new TemplateSpec(...) : TemplateSpec | ThymeleafSSTI.java:32:27:32:30 | spec | provenance | Sink:MaD:17 |
| ThymeleafSSTI.java:31:24:31:49 | new TemplateSpec(...) : TemplateSpec | ThymeleafSSTI.java:33:27:33:30 | spec | provenance | Sink:MaD:17 |
| ThymeleafSSTI.java:31:24:31:49 | new TemplateSpec(...) : TemplateSpec | ThymeleafSSTI.java:34:36:34:39 | spec | provenance | Sink:MaD:18 |
| ThymeleafSSTI.java:31:41:31:44 | code : String | ThymeleafSSTI.java:31:24:31:49 | new TemplateSpec(...) : TemplateSpec | provenance | MaD:21 |
| VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | VelocitySSTI.java:37:45:37:48 | code | provenance | Src:MaD:19 Sink:MaD:13 |
| VelocitySSTI.java:43:17:43:44 | getParameter(...) : String | VelocitySSTI.java:49:42:49:45 | code : String | provenance | Src:MaD:19 |
| VelocitySSTI.java:49:25:49:46 | new StringReader(...) : StringReader | VelocitySSTI.java:51:45:51:50 | reader | provenance | Sink:MaD:13 |
| VelocitySSTI.java:49:42:49:45 | code : String | VelocitySSTI.java:49:25:49:46 | new StringReader(...) : StringReader | provenance | MaD:20 |
| VelocitySSTI.java:57:17:57:44 | getParameter(...) : String | VelocitySSTI.java:60:42:60:45 | code : String | provenance | Src:MaD:19 |
| VelocitySSTI.java:60:25:60:46 | new StringReader(...) : StringReader | VelocitySSTI.java:61:25:61:30 | reader | provenance | Sink:MaD:16 |
| VelocitySSTI.java:60:42:60:45 | code : String | VelocitySSTI.java:60:25:60:46 | new StringReader(...) : StringReader | provenance | MaD:20 |
| VelocitySSTI.java:81:17:81:44 | getParameter(...) : String | VelocitySSTI.java:93:37:93:40 | code | provenance | Src:MaD:19 Sink:MaD:14 |
| VelocitySSTI.java:81:17:81:44 | getParameter(...) : String | VelocitySSTI.java:94:54:94:57 | code : String | provenance | Src:MaD:19 |
| VelocitySSTI.java:94:54:94:57 | code : String | VelocitySSTI.java:94:37:94:58 | new StringReader(...) | provenance | MaD:20 Sink:MaD:14 |
| VelocitySSTI.java:114:17:114:44 | getParameter(...) : String | VelocitySSTI.java:117:37:117:40 | code | provenance | Src:MaD:19 Sink:MaD:15 |
models
| 1 | Sink: com.hubspot.jinjava; Jinjava; true; render; ; ; Argument[0]; template-injection; manual |
| 2 | Sink: com.hubspot.jinjava; Jinjava; true; renderForResult; ; ; Argument[0]; template-injection; manual |
| 3 | Sink: com.mitchellbosecke.pebble; PebbleEngine; true; getLiteralTemplate; ; ; Argument[0]; template-injection; manual |
| 4 | Sink: com.mitchellbosecke.pebble; PebbleEngine; true; getTemplate; ; ; Argument[0]; template-injection; manual |
| 5 | Sink: freemarker.cache; StringTemplateLoader; true; putTemplate; ; ; Argument[1]; template-injection; manual |
| 6 | Sink: freemarker.template; Template; true; Template; (String,Reader); ; Argument[1]; template-injection; manual |
| 7 | Sink: freemarker.template; Template; true; Template; (String,Reader,Configuration); ; Argument[1]; template-injection; manual |
| 8 | Sink: freemarker.template; Template; true; Template; (String,Reader,Configuration,String); ; Argument[1]; template-injection; manual |
| 9 | Sink: freemarker.template; Template; true; Template; (String,String,Configuration); ; Argument[1]; template-injection; manual |
| 10 | Sink: freemarker.template; Template; true; Template; (String,String,Reader,Configuration); ; Argument[2]; template-injection; manual |
| 11 | Sink: freemarker.template; Template; true; Template; (String,String,Reader,Configuration,ParserConfiguration,String); ; Argument[2]; template-injection; manual |
| 12 | Sink: freemarker.template; Template; true; Template; (String,String,Reader,Configuration,String); ; Argument[2]; template-injection; manual |
| 13 | Sink: org.apache.velocity.app; Velocity; true; evaluate; ; ; Argument[3]; template-injection; manual |
| 14 | Sink: org.apache.velocity.app; VelocityEngine; true; evaluate; ; ; Argument[3]; template-injection; manual |
| 15 | Sink: org.apache.velocity.runtime.resource.util; StringResourceRepository; true; putStringResource; ; ; Argument[1]; template-injection; manual |
| 16 | Sink: org.apache.velocity.runtime; RuntimeServices; true; parse; ; ; Argument[0]; template-injection; manual |
| 17 | Sink: org.thymeleaf; ITemplateEngine; true; process; ; ; Argument[0]; template-injection; manual |
| 18 | Sink: org.thymeleaf; ITemplateEngine; true; processThrottled; ; ; Argument[0]; template-injection; manual |
| 19 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
| 20 | Summary: java.io; StringReader; false; StringReader; ; ; Argument[0]; Argument[this]; taint; manual |
| 21 | Summary: org.thymeleaf; TemplateSpec; false; TemplateSpec; ; ; Argument[0]; Argument[this]; taint; manual |
nodes
| FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:24:36:24:39 | code : String | semmle.label | code : String |
| FreemarkerSSTI.java:26:35:26:40 | reader | semmle.label | reader |
| FreemarkerSSTI.java:32:17:32:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:33:19:33:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:33:36:33:39 | code : String | semmle.label | code : String |
| FreemarkerSSTI.java:36:35:36:40 | reader | semmle.label | reader |
| FreemarkerSSTI.java:42:17:42:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:43:19:43:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:43:36:43:39 | code : String | semmle.label | code : String |
| FreemarkerSSTI.java:46:35:46:40 | reader | semmle.label | reader |
| FreemarkerSSTI.java:52:23:52:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:55:35:55:44 | sourceCode | semmle.label | sourceCode |
| FreemarkerSSTI.java:61:17:61:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:63:19:63:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:63:36:63:39 | code : String | semmle.label | code : String |
| FreemarkerSSTI.java:65:47:65:52 | reader | semmle.label | reader |
| FreemarkerSSTI.java:71:17:71:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:74:19:74:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:74:36:74:39 | code : String | semmle.label | code : String |
| FreemarkerSSTI.java:77:36:77:41 | reader | semmle.label | reader |
| FreemarkerSSTI.java:83:17:83:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:86:19:86:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:86:36:86:39 | code : String | semmle.label | code : String |
| FreemarkerSSTI.java:88:47:88:52 | reader | semmle.label | reader |
| FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:96:42:96:45 | code | semmle.label | code |
| FreemarkerSSTI.java:101:17:101:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:104:42:104:45 | code | semmle.label | code |
| JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JinJavaSSTI.java:24:44:24:51 | template | semmle.label | template |
| JinJavaSSTI.java:29:21:29:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JinJavaSSTI.java:32:55:32:62 | template | semmle.label | template |
| JinJavaSSTI.java:37:21:37:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JinJavaSSTI.java:42:55:42:62 | template | semmle.label | template |
| PebbleSSTI.java:18:25:18:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| PebbleSSTI.java:20:56:20:67 | templateName | semmle.label | templateName |
| PebbleSSTI.java:25:25:25:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| PebbleSSTI.java:27:63:27:74 | templateName | semmle.label | templateName |
| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| ThymeleafSSTI.java:24:27:24:30 | code | semmle.label | code |
| ThymeleafSSTI.java:25:27:25:30 | code | semmle.label | code |
| ThymeleafSSTI.java:26:27:26:30 | code | semmle.label | code |
| ThymeleafSSTI.java:27:27:27:30 | code | semmle.label | code |
| ThymeleafSSTI.java:28:36:28:39 | code | semmle.label | code |
| ThymeleafSSTI.java:29:36:29:39 | code | semmle.label | code |
| ThymeleafSSTI.java:31:24:31:49 | new TemplateSpec(...) : TemplateSpec | semmle.label | new TemplateSpec(...) : TemplateSpec |
| ThymeleafSSTI.java:31:41:31:44 | code : String | semmle.label | code : String |
| ThymeleafSSTI.java:32:27:32:30 | spec | semmle.label | spec |
| ThymeleafSSTI.java:33:27:33:30 | spec | semmle.label | spec |
| ThymeleafSSTI.java:34:36:34:39 | spec | semmle.label | spec |
| VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| VelocitySSTI.java:37:45:37:48 | code | semmle.label | code |
| VelocitySSTI.java:43:17:43:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| VelocitySSTI.java:49:25:49:46 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| VelocitySSTI.java:49:42:49:45 | code : String | semmle.label | code : String |
| VelocitySSTI.java:51:45:51:50 | reader | semmle.label | reader |
| VelocitySSTI.java:57:17:57:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| VelocitySSTI.java:60:25:60:46 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| VelocitySSTI.java:60:42:60:45 | code : String | semmle.label | code : String |
| VelocitySSTI.java:61:25:61:30 | reader | semmle.label | reader |
| VelocitySSTI.java:81:17:81:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| VelocitySSTI.java:93:37:93:40 | code | semmle.label | code |
| VelocitySSTI.java:94:37:94:58 | new StringReader(...) | semmle.label | new StringReader(...) |
| VelocitySSTI.java:94:54:94:57 | code : String | semmle.label | code : String |
| VelocitySSTI.java:114:17:114:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| VelocitySSTI.java:117:37:117:40 | code | semmle.label | code |
subpaths

4
java/ql/test/query-tests/security/CWE-094/TemplateInjection/TemplateInjectionTest.qlref Normal file
View File

@@ -0,0 +1,4 @@
query: Security/CWE/CWE-094/TemplateInjection.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql

20
java/ql/test/query-tests/security/CWE-094/ThymeleafSSTI.java → java/ql/test/query-tests/security/CWE-094/TemplateInjection/ThymeleafSSTI.java
View File

@@ -18,20 +18,20 @@ import org.thymeleaf.context.Context;
public class ThymeleafSSTI {
@GetMapping(value = "bad1")
public void bad1(HttpServletRequest request) {
String code = request.getParameter("code");
String code = request.getParameter("code"); // $ Source
try {
TemplateEngine templateEngine = new TemplateEngine();
templateEngine.process(code, (Set<String>) null, (Context) null); // $hasTemplateInjection
templateEngine.process(code, (Set<String>) null, (Context) null, (Writer) null); // $hasTemplateInjection
templateEngine.process(code, (Context) null); // $hasTemplateInjection
templateEngine.process(code, (Context) null, (Writer) null); // $hasTemplateInjection
templateEngine.processThrottled(code, (Set<String>) null, (Context) null); // $hasTemplateInjection
templateEngine.processThrottled(code, (Context) null); // $hasTemplateInjection
templateEngine.process(code, (Set<String>) null, (Context) null); // $ Alert
templateEngine.process(code, (Set<String>) null, (Context) null, (Writer) null); // $ Alert
templateEngine.process(code, (Context) null); // $ Alert
templateEngine.process(code, (Context) null, (Writer) null); // $ Alert
templateEngine.processThrottled(code, (Set<String>) null, (Context) null); // $ Alert
templateEngine.processThrottled(code, (Context) null); // $ Alert
TemplateSpec spec = new TemplateSpec(code, "");
templateEngine.process(spec, (Context) null); // $hasTemplateInjection
templateEngine.process(spec, (Context) null, (Writer) null); // $hasTemplateInjection
templateEngine.processThrottled(spec, (Context) null); // $hasTemplateInjection
templateEngine.process(spec, (Context) null); // $ Alert
templateEngine.process(spec, (Context) null, (Writer) null); // $ Alert
templateEngine.processThrottled(spec, (Context) null); // $ Alert
} catch (Exception e) {
}
}

22
java/ql/test/query-tests/security/CWE-094/VelocitySSTI.java → java/ql/test/query-tests/security/CWE-094/TemplateInjection/VelocitySSTI.java
View File

@@ -28,19 +28,19 @@ public class VelocitySSTI {
@GetMapping(value = "bad1")
public void bad1(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code");
String code = request.getParameter("code"); // $ Source
VelocityContext context = null;
String s = "We are using $project $name to render this.";
StringWriter w = new StringWriter();
Velocity.evaluate(context, w, "mystring", code); // $hasTemplateInjection
Velocity.evaluate(context, w, "mystring", code); // $ Alert
}
@GetMapping(value = "bad2")
public void bad2(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code");
String code = request.getParameter("code"); // $ Source
VelocityContext context = null;
@@ -48,17 +48,17 @@ public class VelocitySSTI {
StringWriter w = new StringWriter();
StringReader reader = new StringReader(code);
Velocity.evaluate(context, w, "mystring", reader); // $hasTemplateInjection
Velocity.evaluate(context, w, "mystring", reader); // $ Alert
}
@GetMapping(value = "bad3")
public void bad3(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code");
String code = request.getParameter("code"); // $ Source
RuntimeServices runtimeServices = null;
StringReader reader = new StringReader(code);
runtimeServices.parse(reader, new Template()); // $hasTemplateInjection
runtimeServices.parse(reader, new Template()); // $ Alert
}
@GetMapping(value = "good1")
@@ -78,7 +78,7 @@ public class VelocitySSTI {
@GetMapping(value = "bad5")
public void bad5(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code");
String code = request.getParameter("code"); // $ Source
VelocityContext context = new VelocityContext();
context.put("code", code);
@@ -90,8 +90,8 @@ public class VelocitySSTI {
ctx.put("key", code);
engine.evaluate(ctx, null, null, (String) null); // Safe
engine.evaluate(ctx, null, null, (Reader) null); // Safe
engine.evaluate(null, null, null, code); // $hasTemplateInjection
engine.evaluate(null, null, null, new StringReader(code)); // $hasTemplateInjection
engine.evaluate(null, null, null, code); // $ Alert
engine.evaluate(null, null, null, new StringReader(code)); // $ Alert
}
@GetMapping(value = "good2")
@@ -111,10 +111,10 @@ public class VelocitySSTI {
@GetMapping(value = "bad6")
public void bad6(HttpServletRequest request) {
String code = request.getParameter("code");
String code = request.getParameter("code"); // $ Source
StringResourceRepository repo = new StringResourceRepositoryImpl();
repo.putStringResource("woogie2", code); // $hasTemplateInjection
repo.putStringResource("woogie2", code); // $ Alert
}
}

1
java/ql/test/query-tests/security/CWE-094/TemplateInjection/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/apache-commons-logging-1.2:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-freemarker-2.3.31:${testdir}/../../../../stubs/jinjava-2.6.0:${testdir}/../../../../stubs/pebble-3.1.5:${testdir}/../../../../stubs/thymeleaf-3.0.14:${testdir}/../../../../stubs/apache-velocity-2.3:${testdir}/../../../..//stubs/google-android-9.0.0

0
java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.expected
View File

18
java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.ql
View File

@@ -1,18 +0,0 @@
import java
import semmle.code.java.security.TemplateInjectionQuery
import utils.test.InlineExpectationsTest
module TemplateInjectionTest implements TestSig {
string getARelevantTag() { result = "hasTemplateInjection" }
predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasTemplateInjection" and
exists(DataFlow::Node sink | TemplateInjectionFlow::flowTo(sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}
import MakeTest<TemplateInjectionTest>