hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Include suggestions from review

Browse Source
This commit is contained in:
Porcupiney Hairs
2022-02-22 23:07:34 +05:30
parent e536628a66
commit c81d85f321
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qhelp
View File

@@ -16,14 +16,14 @@
<code>code</code>
is used as a Velocity template string. This can lead to remote code execution.
</p>
<sample src="SSTIBad.py" />
<sample src="SSTIBad.java" />
<p>
In the next example the problem is avoided by using a fixed template string
<code>s</code>
. Since, the template is not attacker controlled in this case, we prevent untrusted code execution.
</p>
<sample src="SSTIGood.py" />
<sample src="SSTIGood.java" />
</example>
<references>
<li>Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)</li>