Merge pull request #10352 from atorralba/atorralba/promote-template-injection

Java: Promote Server-side template injection from experimental
2025-12-21 11:16:30 +01:00 · 2022-09-20 16:11:58 +02:00
parent 4614074d01 4af29e6abf
commit cbb64cc8c1
615 changed files with 16792 additions and 711 deletions
--- a/java/ql/src/Security/CWE/CWE-094/SSTIBad.java
+++ b/java/ql/src/Security/CWE/CWE-094/SSTIBad.java
@@ -0,0 +1,19 @@
+@Controller
+public class VelocitySSTI {
+
+	@GetMapping(value = "bad")
+	public void bad(HttpServletRequest request) {
+		Velocity.init();
+
+		String code = request.getParameter("code");
+
+		VelocityContext context = new VelocityContext();
+
+		context.put("name", "Velocity");
+		context.put("project", "Jakarta");
+
+		StringWriter w = new StringWriter();
+		// evaluate( Context context, Writer out, String logTag, String instring )
+		Velocity.evaluate(context, w, "mystring", code);
+	}
+}
--- a/java/ql/src/Security/CWE/CWE-094/SSTIGood.java
+++ b/java/ql/src/Security/CWE/CWE-094/SSTIGood.java
@@ -0,0 +1,17 @@
+@Controller
+public class VelocitySSTI {
+
+	@GetMapping(value = "good")
+	public void good(HttpServletRequest request) {
+		Velocity.init();
+		VelocityContext context = new VelocityContext();
+
+		context.put("name", "Velocity");
+		context.put("project", "Jakarta");
+
+		String s = "We are using $project $name to render this.";
+		StringWriter w = new StringWriter();
+		Velocity.evaluate(context, w, "mystring", s);
+		System.out.println(" string : " + w);
+	}
+}
--- a/java/ql/src/Security/CWE/CWE-094/TemplateInjection.qhelp
+++ b/java/ql/src/Security/CWE/CWE-094/TemplateInjection.qhelp
@@ -0,0 +1,32 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+Template injection occurs when user input is embedded in a template's code in an unsafe manner.
+An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side.
+This permits the attacker to run arbitrary code in the server's context.
+</p>
+</overview>
+<recommendation>
+<p>
+To fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this,
+use a sandboxed environment where access to unsafe attributes and methods is prohibited.
+</p>
+</recommendation>
+<example>
+<p>
+In the example given below, an untrusted HTTP parameter <code>code</code> is used as a Velocity template string. 
+This can lead to remote code execution.
+</p>
+<sample src="SSTIBad.java" />
+
+<p>
+In the next example, the problem is avoided by using a fixed template string <code>s</code>.
+Since the template's code is not attacker-controlled in this case, this solution prevents the execution of untrusted code.
+</p>
+<sample src="SSTIGood.java" />
+</example>
+<references>
+<li>Portswigger: <a href="https://portswigger.net/web-security/server-side-template-injection">Server Side Template Injection</a>.</li>
+</references>
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Server-side template injection
+ * @description Untrusted input interpreted as a template can lead to remote code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.3
+ * @precision high
+ * @id java/server-side-template-injection
+ * @tags security
+ *       external/cwe/cwe-1336
+ *       external/cwe/cwe-094
+ */
+
+import java
+import semmle.code.java.security.TemplateInjectionQuery
+import DataFlow::PathGraph
+
+from TemplateInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Potential arbitrary code execution due to $@.",
+  source.getNode(), "a template value loaded from a remote source."