mirror of
https://github.com/github/codeql.git
synced 2026-04-26 09:15:12 +02:00
Move files from experimental
This commit is contained in:
Tony Torralba
132
java/ql/test/query-tests/security/CWE-094/FreemarkerSSTI.java
Normal file
132
java/ql/test/query-tests/security/CWE-094/FreemarkerSSTI.java
Normal file
@@ -0,0 +1,132 @@
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
|
||||
import java.lang.String;
|
||||
import java.io.Reader;
|
||||
import java.io.StringReader;
|
||||
import java.io.OutputStreamWriter;
|
||||
import java.util.HashMap;
|
||||
|
||||
import freemarker.template.Template;
|
||||
import freemarker.template.Configuration;
|
||||
import freemarker.cache.StringTemplateLoader;
|
||||
import freemarker.template.ParserConfiguration;
|
||||
|
||||
@Controller
|
||||
public class FreemarkerSSTI {
|
||||
String sourceName = "sourceName";
|
||||
|
||||
@GetMapping(value = "bad1")
|
||||
public void bad1(HttpServletRequest request) {
|
||||
String name = "ttemplate";
|
||||
String code = request.getParameter("code");
|
||||
Reader reader = new StringReader(code);
|
||||
|
||||
// Template(java.lang.String name, java.io.Reader reader)
|
||||
Template t = new Template(name, reader);
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad2")
|
||||
public void bad2(HttpServletRequest request) {
|
||||
String name = "ttemplate";
|
||||
String code = request.getParameter("code");
|
||||
Reader reader = new StringReader(code);
|
||||
Configuration cfg = new Configuration();
|
||||
|
||||
// Template(java.lang.String name, java.io.Reader reader, Configuration cfg)
|
||||
Template t = new Template(name, reader, cfg);
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad3")
|
||||
public void bad3(HttpServletRequest request) {
|
||||
String name = "ttemplate";
|
||||
String code = request.getParameter("code");
|
||||
Reader reader = new StringReader(code);
|
||||
Configuration cfg = new Configuration();
|
||||
|
||||
// Template(java.lang.String name, java.io.Reader reader, Configuration cfg,
|
||||
// java.lang.String encoding)
|
||||
Template t = new Template(name, reader, cfg, "UTF-8");
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad4")
|
||||
public void bad4(HttpServletRequest request) {
|
||||
String name = "ttemplate";
|
||||
String sourceCode = request.getParameter("sourceCode");
|
||||
Configuration cfg = new Configuration();
|
||||
|
||||
// Template(java.lang.String name, java.lang.String sourceCode, Configuration
|
||||
// cfg)
|
||||
Template t = new Template(name, sourceCode, cfg);
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad5")
|
||||
public void bad5(HttpServletRequest request) {
|
||||
String name = "ttemplate";
|
||||
String code = request.getParameter("code");
|
||||
Configuration cfg = new Configuration();
|
||||
Reader reader = new StringReader(code);
|
||||
|
||||
// Template(java.lang.String name, java.lang.String sourceName, java.io.Reader
|
||||
// reader, Configuration cfg)
|
||||
Template t = new Template(name, sourceName, reader, cfg);
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad6")
|
||||
public void bad6(HttpServletRequest request) {
|
||||
String name = "ttemplate";
|
||||
String code = request.getParameter("code");
|
||||
Configuration cfg = new Configuration();
|
||||
ParserConfiguration customParserConfiguration = new Configuration();
|
||||
Reader reader = new StringReader(code);
|
||||
|
||||
// Template(java.lang.String name, java.lang.String sourceName, java.io.Reader
|
||||
// reader, Configuration cfg, ParserConfiguration customParserConfiguration,
|
||||
// java.lang.String encoding)
|
||||
Template t = new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8");
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad7")
|
||||
public void bad7(HttpServletRequest request) {
|
||||
String name = "ttemplate";
|
||||
String code = request.getParameter("code");
|
||||
Configuration cfg = new Configuration();
|
||||
ParserConfiguration customParserConfiguration = new Configuration();
|
||||
Reader reader = new StringReader(code);
|
||||
|
||||
// Template(java.lang.String name, java.lang.String sourceName, java.io.Reader
|
||||
// reader, Configuration cfg, java.lang.String encoding)
|
||||
Template t = new Template(name, sourceName, reader, cfg, "UTF-8");
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad8")
|
||||
public void bad8(HttpServletRequest request) {
|
||||
String code = request.getParameter("code");
|
||||
StringTemplateLoader stringLoader = new StringTemplateLoader();
|
||||
|
||||
// void putTemplate(java.lang.String name, java.lang.String templateContent)
|
||||
stringLoader.putTemplate("myTemplate", code);
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad9")
|
||||
public void bad9(HttpServletRequest request) {
|
||||
String code = request.getParameter("code");
|
||||
StringTemplateLoader stringLoader = new StringTemplateLoader();
|
||||
|
||||
// void putTemplate(java.lang.String name, java.lang.String templateContent,
|
||||
// long lastModified)
|
||||
stringLoader.putTemplate("myTemplate", code, 0);
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad10")
|
||||
public void bad10(HttpServletRequest request) {
|
||||
HashMap root = new HashMap();
|
||||
String code = request.getParameter("code");
|
||||
root.put("code", code);
|
||||
Configuration cfg = new Configuration();
|
||||
Template temp = cfg.getTemplate("test.ftlh");
|
||||
OutputStreamWriter out = new OutputStreamWriter(System.out);
|
||||
temp.process(root, out);
|
||||
}
|
||||
}
|
||||
48
java/ql/test/query-tests/security/CWE-094/JinJavaSSTI.java
Normal file
48
java/ql/test/query-tests/security/CWE-094/JinJavaSSTI.java
Normal file
@@ -0,0 +1,48 @@
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
|
||||
import java.lang.String;
|
||||
import java.io.Reader;
|
||||
import java.io.StringReader;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import com.hubspot.jinjava.*;
|
||||
import com.hubspot.jinjava.JinjavaConfig;
|
||||
import com.hubspot.jinjava.interpret.*;
|
||||
|
||||
@Controller
|
||||
public class JinJavaSSTI {
|
||||
String sourceName = "sourceName";
|
||||
|
||||
@GetMapping(value = "bad1")
|
||||
public void bad1(HttpServletRequest request) {
|
||||
String template = request.getParameter("template");
|
||||
Jinjava jinjava = new Jinjava();
|
||||
Map<String, Object> context = new HashMap<>();
|
||||
// String render(String template, Map<String, ?> bindings)
|
||||
String renderedTemplate = jinjava.render(template, context);
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad2")
|
||||
public void bad2(HttpServletRequest request) {
|
||||
String template = request.getParameter("template");
|
||||
Jinjava jinjava = new Jinjava();
|
||||
Map<String, Object> bindings = new HashMap<>();
|
||||
// RenderResult renderForResult (String template, Map<String, ?> bindings)
|
||||
RenderResult renderResult = jinjava.renderForResult(template, bindings);
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad3")
|
||||
public void bad3(HttpServletRequest request) {
|
||||
String template = request.getParameter("template");
|
||||
Jinjava jinjava = new Jinjava();
|
||||
Map<String, Object> bindings = new HashMap<>();
|
||||
JinjavaConfig renderConfig = new JinjavaConfig();
|
||||
|
||||
// RenderResult renderForResult (String template, Map<String, ?> bindings,
|
||||
// JinjavaConfig renderConfig)
|
||||
RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig);
|
||||
}
|
||||
}
|
||||
30
java/ql/test/query-tests/security/CWE-094/PebbleSSTI.java
Normal file
30
java/ql/test/query-tests/security/CWE-094/PebbleSSTI.java
Normal file
@@ -0,0 +1,30 @@
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
|
||||
import java.lang.String;
|
||||
import java.io.Reader;
|
||||
import java.io.StringReader;
|
||||
|
||||
import com.mitchellbosecke.pebble.PebbleEngine;
|
||||
import com.mitchellbosecke.pebble.template.*;
|
||||
|
||||
@Controller
|
||||
public class PebbleSSTI {
|
||||
String sourceName = "sourceName";
|
||||
|
||||
@GetMapping(value = "bad1")
|
||||
public void bad1(HttpServletRequest request) {
|
||||
String code = request.getParameter("code");
|
||||
PebbleEngine engine = new PebbleEngine.Builder().build();
|
||||
// public PebbleTemplate getTemplate(String templateName)
|
||||
PebbleTemplate compiledTemplate = engine.getTemplate(code);
|
||||
}
|
||||
@GetMapping(value = "bad2")
|
||||
public void bad2(HttpServletRequest request) {
|
||||
String code = request.getParameter("code");
|
||||
PebbleEngine engine = new PebbleEngine.Builder().build();
|
||||
// public PebbleTemplate getLiteralTemplate(String templateName)
|
||||
PebbleTemplate compiledTemplate = engine.getLiteralTemplate(code);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,136 @@
|
||||
edges
|
||||
| FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | FreemarkerSSTI.java:24:36:24:39 | code : String |
|
||||
| FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:27:35:27:40 | reader |
|
||||
| FreemarkerSSTI.java:24:36:24:39 | code : String | FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader |
|
||||
| FreemarkerSSTI.java:33:17:33:44 | getParameter(...) : String | FreemarkerSSTI.java:34:36:34:39 | code : String |
|
||||
| FreemarkerSSTI.java:34:19:34:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:38:35:38:40 | reader |
|
||||
| FreemarkerSSTI.java:34:36:34:39 | code : String | FreemarkerSSTI.java:34:19:34:40 | new StringReader(...) : StringReader |
|
||||
| FreemarkerSSTI.java:44:17:44:44 | getParameter(...) : String | FreemarkerSSTI.java:45:36:45:39 | code : String |
|
||||
| FreemarkerSSTI.java:45:19:45:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:50:35:50:40 | reader |
|
||||
| FreemarkerSSTI.java:45:36:45:39 | code : String | FreemarkerSSTI.java:45:19:45:40 | new StringReader(...) : StringReader |
|
||||
| FreemarkerSSTI.java:56:23:56:56 | getParameter(...) : String | FreemarkerSSTI.java:61:35:61:44 | sourceCode |
|
||||
| FreemarkerSSTI.java:67:17:67:44 | getParameter(...) : String | FreemarkerSSTI.java:69:36:69:39 | code : String |
|
||||
| FreemarkerSSTI.java:69:19:69:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:73:47:73:52 | reader |
|
||||
| FreemarkerSSTI.java:69:36:69:39 | code : String | FreemarkerSSTI.java:69:19:69:40 | new StringReader(...) : StringReader |
|
||||
| FreemarkerSSTI.java:79:17:79:44 | getParameter(...) : String | FreemarkerSSTI.java:82:36:82:39 | code : String |
|
||||
| FreemarkerSSTI.java:82:19:82:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:87:47:87:52 | reader |
|
||||
| FreemarkerSSTI.java:82:36:82:39 | code : String | FreemarkerSSTI.java:82:19:82:40 | new StringReader(...) : StringReader |
|
||||
| FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | FreemarkerSSTI.java:96:36:96:39 | code : String |
|
||||
| FreemarkerSSTI.java:96:19:96:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:100:47:100:52 | reader |
|
||||
| FreemarkerSSTI.java:96:36:96:39 | code : String | FreemarkerSSTI.java:96:19:96:40 | new StringReader(...) : StringReader |
|
||||
| FreemarkerSSTI.java:105:17:105:44 | getParameter(...) : String | FreemarkerSSTI.java:109:42:109:45 | code |
|
||||
| FreemarkerSSTI.java:114:17:114:44 | getParameter(...) : String | FreemarkerSSTI.java:119:42:119:45 | code |
|
||||
| FreemarkerSSTI.java:125:17:125:44 | getParameter(...) : String | FreemarkerSSTI.java:126:26:126:29 | code : String |
|
||||
| FreemarkerSSTI.java:126:9:126:12 | root [post update] [<map.value>] : String | FreemarkerSSTI.java:130:22:130:25 | root |
|
||||
| FreemarkerSSTI.java:126:26:126:29 | code : String | FreemarkerSSTI.java:126:9:126:12 | root [post update] [<map.value>] : String |
|
||||
| JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | JinJavaSSTI.java:25:44:25:51 | template |
|
||||
| JinJavaSSTI.java:30:21:30:52 | getParameter(...) : String | JinJavaSSTI.java:34:55:34:62 | template |
|
||||
| JinJavaSSTI.java:39:21:39:52 | getParameter(...) : String | JinJavaSSTI.java:46:55:46:62 | template |
|
||||
| PebbleSSTI.java:18:17:18:44 | getParameter(...) : String | PebbleSSTI.java:21:56:21:59 | code |
|
||||
| PebbleSSTI.java:25:17:25:44 | getParameter(...) : String | PebbleSSTI.java:28:63:28:66 | code |
|
||||
| ThymeleafSSTI.java:22:17:22:44 | getParameter(...) : String | ThymeleafSSTI.java:27:27:27:30 | code |
|
||||
| VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | VelocitySSTI.java:38:45:38:48 | code |
|
||||
| VelocitySSTI.java:44:17:44:44 | getParameter(...) : String | VelocitySSTI.java:50:42:50:45 | code : String |
|
||||
| VelocitySSTI.java:50:25:50:46 | new StringReader(...) : StringReader | VelocitySSTI.java:53:45:53:50 | reader |
|
||||
| VelocitySSTI.java:50:42:50:45 | code : String | VelocitySSTI.java:50:25:50:46 | new StringReader(...) : StringReader |
|
||||
| VelocitySSTI.java:59:17:59:44 | getParameter(...) : String | VelocitySSTI.java:62:42:62:45 | code : String |
|
||||
| VelocitySSTI.java:62:25:62:46 | new StringReader(...) : StringReader | VelocitySSTI.java:63:25:63:30 | reader |
|
||||
| VelocitySSTI.java:62:42:62:45 | code : String | VelocitySSTI.java:62:25:62:46 | new StringReader(...) : StringReader |
|
||||
| VelocitySSTI.java:69:17:69:44 | getParameter(...) : String | VelocitySSTI.java:77:21:77:27 | context |
|
||||
| VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | VelocitySSTI.java:89:60:89:66 | context |
|
||||
| VelocitySSTI.java:95:17:95:44 | getParameter(...) : String | VelocitySSTI.java:102:11:102:17 | context |
|
||||
| VelocitySSTI.java:108:17:108:44 | getParameter(...) : String | VelocitySSTI.java:115:11:115:17 | context |
|
||||
| VelocitySSTI.java:120:17:120:44 | getParameter(...) : String | VelocitySSTI.java:123:37:123:40 | code |
|
||||
nodes
|
||||
| FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
|
||||
| FreemarkerSSTI.java:24:36:24:39 | code : String | semmle.label | code : String |
|
||||
| FreemarkerSSTI.java:27:35:27:40 | reader | semmle.label | reader |
|
||||
| FreemarkerSSTI.java:33:17:33:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| FreemarkerSSTI.java:34:19:34:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
|
||||
| FreemarkerSSTI.java:34:36:34:39 | code : String | semmle.label | code : String |
|
||||
| FreemarkerSSTI.java:38:35:38:40 | reader | semmle.label | reader |
|
||||
| FreemarkerSSTI.java:44:17:44:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| FreemarkerSSTI.java:45:19:45:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
|
||||
| FreemarkerSSTI.java:45:36:45:39 | code : String | semmle.label | code : String |
|
||||
| FreemarkerSSTI.java:50:35:50:40 | reader | semmle.label | reader |
|
||||
| FreemarkerSSTI.java:56:23:56:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| FreemarkerSSTI.java:61:35:61:44 | sourceCode | semmle.label | sourceCode |
|
||||
| FreemarkerSSTI.java:67:17:67:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| FreemarkerSSTI.java:69:19:69:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
|
||||
| FreemarkerSSTI.java:69:36:69:39 | code : String | semmle.label | code : String |
|
||||
| FreemarkerSSTI.java:73:47:73:52 | reader | semmle.label | reader |
|
||||
| FreemarkerSSTI.java:79:17:79:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| FreemarkerSSTI.java:82:19:82:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
|
||||
| FreemarkerSSTI.java:82:36:82:39 | code : String | semmle.label | code : String |
|
||||
| FreemarkerSSTI.java:87:47:87:52 | reader | semmle.label | reader |
|
||||
| FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| FreemarkerSSTI.java:96:19:96:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
|
||||
| FreemarkerSSTI.java:96:36:96:39 | code : String | semmle.label | code : String |
|
||||
| FreemarkerSSTI.java:100:47:100:52 | reader | semmle.label | reader |
|
||||
| FreemarkerSSTI.java:105:17:105:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| FreemarkerSSTI.java:109:42:109:45 | code | semmle.label | code |
|
||||
| FreemarkerSSTI.java:114:17:114:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| FreemarkerSSTI.java:119:42:119:45 | code | semmle.label | code |
|
||||
| FreemarkerSSTI.java:125:17:125:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| FreemarkerSSTI.java:126:9:126:12 | root [post update] [<map.value>] : String | semmle.label | root [post update] [<map.value>] : String |
|
||||
| FreemarkerSSTI.java:126:26:126:29 | code : String | semmle.label | code : String |
|
||||
| FreemarkerSSTI.java:130:22:130:25 | root | semmle.label | root |
|
||||
| JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| JinJavaSSTI.java:25:44:25:51 | template | semmle.label | template |
|
||||
| JinJavaSSTI.java:30:21:30:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| JinJavaSSTI.java:34:55:34:62 | template | semmle.label | template |
|
||||
| JinJavaSSTI.java:39:21:39:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| JinJavaSSTI.java:46:55:46:62 | template | semmle.label | template |
|
||||
| PebbleSSTI.java:18:17:18:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| PebbleSSTI.java:21:56:21:59 | code | semmle.label | code |
|
||||
| PebbleSSTI.java:25:17:25:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| PebbleSSTI.java:28:63:28:66 | code | semmle.label | code |
|
||||
| ThymeleafSSTI.java:22:17:22:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| ThymeleafSSTI.java:27:27:27:30 | code | semmle.label | code |
|
||||
| VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| VelocitySSTI.java:38:45:38:48 | code | semmle.label | code |
|
||||
| VelocitySSTI.java:44:17:44:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| VelocitySSTI.java:50:25:50:46 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
|
||||
| VelocitySSTI.java:50:42:50:45 | code : String | semmle.label | code : String |
|
||||
| VelocitySSTI.java:53:45:53:50 | reader | semmle.label | reader |
|
||||
| VelocitySSTI.java:59:17:59:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| VelocitySSTI.java:62:25:62:46 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
|
||||
| VelocitySSTI.java:62:42:62:45 | code : String | semmle.label | code : String |
|
||||
| VelocitySSTI.java:63:25:63:30 | reader | semmle.label | reader |
|
||||
| VelocitySSTI.java:69:17:69:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| VelocitySSTI.java:77:21:77:27 | context | semmle.label | context |
|
||||
| VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| VelocitySSTI.java:89:60:89:66 | context | semmle.label | context |
|
||||
| VelocitySSTI.java:95:17:95:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| VelocitySSTI.java:102:11:102:17 | context | semmle.label | context |
|
||||
| VelocitySSTI.java:108:17:108:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| VelocitySSTI.java:115:11:115:17 | context | semmle.label | context |
|
||||
| VelocitySSTI.java:120:17:120:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| VelocitySSTI.java:123:37:123:40 | code | semmle.label | code |
|
||||
subpaths
|
||||
#select
|
||||
| FreemarkerSSTI.java:27:35:27:40 | reader | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | FreemarkerSSTI.java:27:35:27:40 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| FreemarkerSSTI.java:38:35:38:40 | reader | FreemarkerSSTI.java:33:17:33:44 | getParameter(...) : String | FreemarkerSSTI.java:38:35:38:40 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:33:17:33:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| FreemarkerSSTI.java:50:35:50:40 | reader | FreemarkerSSTI.java:44:17:44:44 | getParameter(...) : String | FreemarkerSSTI.java:50:35:50:40 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:44:17:44:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| FreemarkerSSTI.java:61:35:61:44 | sourceCode | FreemarkerSSTI.java:56:23:56:56 | getParameter(...) : String | FreemarkerSSTI.java:61:35:61:44 | sourceCode | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:56:23:56:56 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| FreemarkerSSTI.java:73:47:73:52 | reader | FreemarkerSSTI.java:67:17:67:44 | getParameter(...) : String | FreemarkerSSTI.java:73:47:73:52 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:67:17:67:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| FreemarkerSSTI.java:87:47:87:52 | reader | FreemarkerSSTI.java:79:17:79:44 | getParameter(...) : String | FreemarkerSSTI.java:87:47:87:52 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:79:17:79:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| FreemarkerSSTI.java:100:47:100:52 | reader | FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | FreemarkerSSTI.java:100:47:100:52 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:93:17:93:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| FreemarkerSSTI.java:109:42:109:45 | code | FreemarkerSSTI.java:105:17:105:44 | getParameter(...) : String | FreemarkerSSTI.java:109:42:109:45 | code | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:105:17:105:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| FreemarkerSSTI.java:119:42:119:45 | code | FreemarkerSSTI.java:114:17:114:44 | getParameter(...) : String | FreemarkerSSTI.java:119:42:119:45 | code | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:114:17:114:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| FreemarkerSSTI.java:130:22:130:25 | root | FreemarkerSSTI.java:125:17:125:44 | getParameter(...) : String | FreemarkerSSTI.java:130:22:130:25 | root | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:125:17:125:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| JinJavaSSTI.java:25:44:25:51 | template | JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | JinJavaSSTI.java:25:44:25:51 | template | Potential arbitrary code execution due to $@. | JinJavaSSTI.java:21:21:21:52 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| JinJavaSSTI.java:34:55:34:62 | template | JinJavaSSTI.java:30:21:30:52 | getParameter(...) : String | JinJavaSSTI.java:34:55:34:62 | template | Potential arbitrary code execution due to $@. | JinJavaSSTI.java:30:21:30:52 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| JinJavaSSTI.java:46:55:46:62 | template | JinJavaSSTI.java:39:21:39:52 | getParameter(...) : String | JinJavaSSTI.java:46:55:46:62 | template | Potential arbitrary code execution due to $@. | JinJavaSSTI.java:39:21:39:52 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| PebbleSSTI.java:21:56:21:59 | code | PebbleSSTI.java:18:17:18:44 | getParameter(...) : String | PebbleSSTI.java:21:56:21:59 | code | Potential arbitrary code execution due to $@. | PebbleSSTI.java:18:17:18:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| PebbleSSTI.java:28:63:28:66 | code | PebbleSSTI.java:25:17:25:44 | getParameter(...) : String | PebbleSSTI.java:28:63:28:66 | code | Potential arbitrary code execution due to $@. | PebbleSSTI.java:25:17:25:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| ThymeleafSSTI.java:27:27:27:30 | code | ThymeleafSSTI.java:22:17:22:44 | getParameter(...) : String | ThymeleafSSTI.java:27:27:27:30 | code | Potential arbitrary code execution due to $@. | ThymeleafSSTI.java:22:17:22:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| VelocitySSTI.java:38:45:38:48 | code | VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | VelocitySSTI.java:38:45:38:48 | code | Potential arbitrary code execution due to $@. | VelocitySSTI.java:31:17:31:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| VelocitySSTI.java:53:45:53:50 | reader | VelocitySSTI.java:44:17:44:44 | getParameter(...) : String | VelocitySSTI.java:53:45:53:50 | reader | Potential arbitrary code execution due to $@. | VelocitySSTI.java:44:17:44:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| VelocitySSTI.java:63:25:63:30 | reader | VelocitySSTI.java:59:17:59:44 | getParameter(...) : String | VelocitySSTI.java:63:25:63:30 | reader | Potential arbitrary code execution due to $@. | VelocitySSTI.java:59:17:59:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| VelocitySSTI.java:77:21:77:27 | context | VelocitySSTI.java:69:17:69:44 | getParameter(...) : String | VelocitySSTI.java:77:21:77:27 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:69:17:69:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| VelocitySSTI.java:89:60:89:66 | context | VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | VelocitySSTI.java:89:60:89:66 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:83:17:83:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| VelocitySSTI.java:102:11:102:17 | context | VelocitySSTI.java:95:17:95:44 | getParameter(...) : String | VelocitySSTI.java:102:11:102:17 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:95:17:95:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| VelocitySSTI.java:115:11:115:17 | context | VelocitySSTI.java:108:17:108:44 | getParameter(...) : String | VelocitySSTI.java:115:11:115:17 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:108:17:108:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
| VelocitySSTI.java:123:37:123:40 | code | VelocitySSTI.java:120:17:120:44 | getParameter(...) : String | VelocitySSTI.java:123:37:123:40 | code | Potential arbitrary code execution due to $@. | VelocitySSTI.java:120:17:120:44 | getParameter(...) | a template value loaded from a remote source. |
|
||||
@@ -0,0 +1 @@
|
||||
Security/CWE/CWE-094/TemplateInjection.ql
|
||||
31
java/ql/test/query-tests/security/CWE-094/ThymeleafSSTI.java
Normal file
31
java/ql/test/query-tests/security/CWE-094/ThymeleafSSTI.java
Normal file
@@ -0,0 +1,31 @@
|
||||
import javax.imageio.stream.FileImageInputStream;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
|
||||
import java.lang.String;
|
||||
import java.io.File;
|
||||
import java.io.FileWriter;
|
||||
import java.io.Reader;
|
||||
import java.io.StringReader;
|
||||
import java.io.Writer;
|
||||
|
||||
import org.thymeleaf.*;
|
||||
import org.thymeleaf.context.Context;
|
||||
|
||||
@Controller
|
||||
public class ThymeleafSSTI {
|
||||
String sourceName = "sourceName";
|
||||
|
||||
@GetMapping(value = "bad1")
|
||||
public void bad1(HttpServletRequest request) {
|
||||
String code = request.getParameter("code");
|
||||
Context ctx = new Context();
|
||||
try {
|
||||
FileWriter fw = new FileWriter(new File("as"));
|
||||
TemplateEngine templateEngine = new TemplateEngine();
|
||||
templateEngine.process(code, ctx, fw);
|
||||
} catch (Exception e) {
|
||||
}
|
||||
}
|
||||
}
|
||||
126
java/ql/test/query-tests/security/CWE-094/VelocitySSTI.java
Normal file
126
java/ql/test/query-tests/security/CWE-094/VelocitySSTI.java
Normal file
@@ -0,0 +1,126 @@
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
|
||||
import java.lang.String;
|
||||
import java.io.Reader;
|
||||
import java.io.StringReader;
|
||||
import java.io.OutputStreamWriter;
|
||||
import java.io.InputStream;
|
||||
import java.io.StringWriter;
|
||||
import java.util.HashMap;
|
||||
import java.util.LinkedList;
|
||||
|
||||
import org.apache.velocity.VelocityContext;
|
||||
import org.apache.velocity.context.AbstractContext;
|
||||
import org.apache.velocity.context.Context;
|
||||
import org.apache.velocity.Template;
|
||||
import org.apache.velocity.app.Velocity;
|
||||
import org.apache.velocity.app.VelocityEngine;
|
||||
import org.apache.velocity.runtime.RuntimeServices;
|
||||
import org.apache.velocity.runtime.resource.util.StringResourceRepository;
|
||||
import org.apache.velocity.runtime.resource.util.StringResourceRepositoryImpl;
|
||||
|
||||
@Controller
|
||||
public class VelocitySSTI {
|
||||
String sourceName = "sourceName";
|
||||
|
||||
@GetMapping(value = "bad1")
|
||||
public void bad1(HttpServletRequest request) {
|
||||
String name = "ttemplate";
|
||||
String code = request.getParameter("code");
|
||||
|
||||
VelocityContext context = null;
|
||||
|
||||
String s = "We are using $project $name to render this.";
|
||||
StringWriter w = new StringWriter();
|
||||
// evaluate( Context context, Writer out, String logTag, String instring )
|
||||
Velocity.evaluate(context, w, "mystring", code);
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad2")
|
||||
public void bad2(HttpServletRequest request) {
|
||||
String name = "ttemplate";
|
||||
String code = request.getParameter("code");
|
||||
|
||||
VelocityContext context = null;
|
||||
|
||||
String s = "We are using $project $name to render this.";
|
||||
StringWriter w = new StringWriter();
|
||||
StringReader reader = new StringReader(code);
|
||||
|
||||
// evaluate(Context context, Writer writer, String logTag, Reader reader)
|
||||
Velocity.evaluate(context, w, "mystring", reader);
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad3")
|
||||
public void bad3(HttpServletRequest request) {
|
||||
String name = "ttemplate";
|
||||
String code = request.getParameter("code");
|
||||
|
||||
RuntimeServices runtimeServices = new RuntimeServices();
|
||||
StringReader reader = new StringReader(code);
|
||||
runtimeServices.parse(reader, new Template());
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad4")
|
||||
public void bad4(HttpServletRequest request) {
|
||||
String name = "ttemplate";
|
||||
String code = request.getParameter("code");
|
||||
|
||||
VelocityContext context = new VelocityContext();
|
||||
context.put("code", code);
|
||||
|
||||
StringWriter w = new StringWriter();
|
||||
StringReader reader = new StringReader("test");
|
||||
|
||||
Velocity.evaluate(context, w, "mystring", reader);
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad5")
|
||||
public void bad5(HttpServletRequest request) {
|
||||
String name = "ttemplate";
|
||||
String code = request.getParameter("code");
|
||||
|
||||
VelocityContext context = new VelocityContext();
|
||||
context.put("code", code);
|
||||
|
||||
StringWriter w = new StringWriter();
|
||||
VelocityEngine.mergeTemplate("testtemplate.vm", "UTF-8", context, w);
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad6")
|
||||
public void bad6(HttpServletRequest request) {
|
||||
String name = "ttemplate";
|
||||
String code = request.getParameter("code");
|
||||
|
||||
VelocityContext context = new VelocityContext();
|
||||
context.put("code", code);
|
||||
|
||||
StringWriter w = new StringWriter();
|
||||
Template t = new Template();
|
||||
t.merge(context, w);
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad7")
|
||||
public void bad7(HttpServletRequest request) {
|
||||
String name = "ttemplate";
|
||||
String code = request.getParameter("code");
|
||||
|
||||
VelocityContext context = new VelocityContext();
|
||||
context.put("code", code);
|
||||
|
||||
StringWriter w = new StringWriter();
|
||||
Template t = new Template();
|
||||
t.merge(context, w, new LinkedList<String>());
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad8")
|
||||
public void bad8(HttpServletRequest request) {
|
||||
String code = request.getParameter("code");
|
||||
|
||||
StringResourceRepository repo = new StringResourceRepositoryImpl();
|
||||
repo.putStringResource("woogie2", code);
|
||||
|
||||
}
|
||||
}
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../stubs/apache-commons-logging-1.2:${testdir}/../../../stubs/mvel2-2.4.7:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/scriptengine:${testdir}/../../../stubs/jsr223-api
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../stubs/apache-commons-logging-1.2:${testdir}/../../../stubs/mvel2-2.4.7:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/scriptengine:${testdir}/../../../stubs/jsr223-api:${testdir}/../../../experimental/stubs/apache-freemarker-2.3.31:${testdir}/../../../experimental/stubs/jinjava-2.6.0:${testdir}/../../../experimental/stubs/pebble-3.1.5:${testdir}/../../../experimental/stubs/thymeleaf-3.0.14:${testdir}/../../../experimental/stubs/apache-velocity-2.3
|
||||
|
||||
Reference in New Issue
Block a user