Include suggestions from review

2026-04-29 18:55:14 +02:00 · 2022-02-22 23:07:34 +05:30
parent e536628a66
commit c81d85f321
2 changed files with 3 additions and 3 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qhelp
@@ -16,14 +16,14 @@
      <code>code</code>
      is used as a Velocity template string. This can lead to remote code execution.
    </p>
-    <sample src="SSTIBad.py" />
+    <sample src="SSTIBad.java" />

    <p>
      In the next example the problem is avoided by using a fixed template string
      <code>s</code>
      . Since, the template is not attacker controlled in this case, we prevent untrusted code execution.
    </p>
-    <sample src="SSTIGood.py" />
+    <sample src="SSTIGood.java" />
  </example>
  <references>
    <li>Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)</li>
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JinJavaSSTI.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JinJavaSSTI.java
@@ -21,7 +21,7 @@ public class JinJavaSSTI {
 		String template = request.getParameter("template");
 		Jinjava jinjava = new Jinjava();
 		Map<String, Object> context = new HashMap<>();
-		// String render(String template, Map<String,?> bindings)
+		// String render(String template, Map<String,?> bindings)
 		String renderedTemplate = jinjava.render(template, context);
 	}