From e311155acdd405d39b13c46a29c8e047ef8a1f5f Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Thu, 8 Sep 2022 13:42:25 +0200
Subject: [PATCH] Use InlineExpectationsTest

---
 .../security/CWE-094/FreemarkerSSTI.java      |  49 ++----
 .../security/CWE-094/JinJavaSSTI.java         |  10 +-
 .../security/CWE-094/PebbleSSTI.java          |   9 +-
 .../CWE-094/TemplateInjection.expected        | 152 ------------------
 .../security/CWE-094/TemplateInjection.qlref  |   1 -
 .../CWE-094/TemplateInjectionTest.expected    |   0
 .../security/CWE-094/TemplateInjectionTest.ql |  20 +++
 .../security/CWE-094/ThymeleafSSTI.java       |   2 +-
 .../security/CWE-094/VelocitySSTI.java        |  18 +--
 9 files changed, 54 insertions(+), 207 deletions(-)
 delete mode 100644 java/ql/test/query-tests/security/CWE-094/TemplateInjection.expected
 delete mode 100644 java/ql/test/query-tests/security/CWE-094/TemplateInjection.qlref
 create mode 100644 java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.expected
 create mode 100644 java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.ql

diff --git a/java/ql/test/query-tests/security/CWE-094/FreemarkerSSTI.java b/java/ql/test/query-tests/security/CWE-094/FreemarkerSSTI.java
index 9c65f769b11..51a1555c058 100644
--- a/java/ql/test/query-tests/security/CWE-094/FreemarkerSSTI.java
+++ b/java/ql/test/query-tests/security/CWE-094/FreemarkerSSTI.java
@@ -23,8 +23,7 @@ public class FreemarkerSSTI {
 		String code = request.getParameter("code");
 		Reader reader = new StringReader(code);
 
-		// Template(java.lang.String name, java.io.Reader reader)
-		Template t = new Template(name, reader);
+		Template t = new Template(name, reader); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad2")
@@ -33,9 +32,8 @@ public class FreemarkerSSTI {
 		String code = request.getParameter("code");
 		Reader reader = new StringReader(code);
 		Configuration cfg = new Configuration();
-		
-		// Template(java.lang.String name, java.io.Reader reader, Configuration cfg)
-		Template t = new Template(name, reader, cfg);
+
+		Template t = new Template(name, reader, cfg); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad3")
@@ -45,9 +43,7 @@ public class FreemarkerSSTI {
 		Reader reader = new StringReader(code);
 		Configuration cfg = new Configuration();
 
-		// Template(java.lang.String name, java.io.Reader reader, Configuration cfg,
-		// java.lang.String encoding)
-		Template t = new Template(name, reader, cfg, "UTF-8");
+		Template t = new Template(name, reader, cfg, "UTF-8"); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad4")
@@ -56,9 +52,7 @@ public class FreemarkerSSTI {
 		String sourceCode = request.getParameter("sourceCode");
 		Configuration cfg = new Configuration();
 
-		// Template(java.lang.String name, java.lang.String sourceCode, Configuration
-		// cfg)
-		Template t = new Template(name, sourceCode, cfg);
+		Template t = new Template(name, sourceCode, cfg); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad5")
@@ -68,9 +62,7 @@ public class FreemarkerSSTI {
 		Configuration cfg = new Configuration();
 		Reader reader = new StringReader(code);
 
-		// Template(java.lang.String name, java.lang.String sourceName, java.io.Reader
-		// reader, Configuration cfg)
-		Template t = new Template(name, sourceName, reader, cfg);
+		Template t = new Template(name, sourceName, reader, cfg); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad6")
@@ -81,10 +73,8 @@ public class FreemarkerSSTI {
 		ParserConfiguration customParserConfiguration = new Configuration();
 		Reader reader = new StringReader(code);
 
-		// Template(java.lang.String name, java.lang.String sourceName, java.io.Reader
-		// reader, Configuration cfg, ParserConfiguration customParserConfiguration,
-		// java.lang.String encoding)
-		Template t = new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8");
+		Template t =
+				new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8"); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad7")
@@ -95,9 +85,7 @@ public class FreemarkerSSTI {
 		ParserConfiguration customParserConfiguration = new Configuration();
 		Reader reader = new StringReader(code);
 
-		// Template(java.lang.String name, java.lang.String sourceName, java.io.Reader
-		// reader, Configuration cfg, java.lang.String encoding)
-		Template t = new Template(name, sourceName, reader, cfg, "UTF-8");
+		Template t = new Template(name, sourceName, reader, cfg, "UTF-8"); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad8")
@@ -105,28 +93,25 @@ public class FreemarkerSSTI {
 		String code = request.getParameter("code");
 		StringTemplateLoader stringLoader = new StringTemplateLoader();
 
-		// void putTemplate(java.lang.String name, java.lang.String templateContent)
-		stringLoader.putTemplate("myTemplate", code);
+		stringLoader.putTemplate("myTemplate", code); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad9")
 	public void bad9(HttpServletRequest request) {
 		String code = request.getParameter("code");
 		StringTemplateLoader stringLoader = new StringTemplateLoader();
-		
-		// void putTemplate(java.lang.String name, java.lang.String templateContent,
-		// long lastModified)
-		stringLoader.putTemplate("myTemplate", code, 0);
+
+		stringLoader.putTemplate("myTemplate", code, 0); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad10")
 	public void bad10(HttpServletRequest request) {
-		HashMap<Object,Object> root = new HashMap();
+		HashMap<Object, Object> root = new HashMap();
 		String code = request.getParameter("code");
-        root.put("code", code);
+		root.put("code", code);
 		Configuration cfg = new Configuration();
-        Template temp = cfg.getTemplate("test.ftlh");        
-        OutputStreamWriter out = new OutputStreamWriter(System.out);
-        temp.process(root, out);
+		Template temp = cfg.getTemplate("test.ftlh");
+		OutputStreamWriter out = new OutputStreamWriter(System.out);
+		temp.process(root, out); // $hasTemplateInjection
 	}
 }
diff --git a/java/ql/test/query-tests/security/CWE-094/JinJavaSSTI.java b/java/ql/test/query-tests/security/CWE-094/JinJavaSSTI.java
index a5791ae1d57..4341a44f192 100644
--- a/java/ql/test/query-tests/security/CWE-094/JinJavaSSTI.java
+++ b/java/ql/test/query-tests/security/CWE-094/JinJavaSSTI.java
@@ -21,8 +21,7 @@ public class JinJavaSSTI {
 		String template = request.getParameter("template");
 		Jinjava jinjava = new Jinjava();
 		Map<String, Object> context = new HashMap<>();
-		// String render(String template, Map<String, ?> bindings)
-		String renderedTemplate = jinjava.render(template, context);
+		String renderedTemplate = jinjava.render(template, context); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad2")
@@ -30,8 +29,7 @@ public class JinJavaSSTI {
 		String template = request.getParameter("template");
 		Jinjava jinjava = new Jinjava();
 		Map<String, Object> bindings = new HashMap<>();
-		// RenderResult renderForResult (String template, Map<String, ?> bindings)
-		RenderResult renderResult = jinjava.renderForResult(template, bindings);
+		RenderResult renderResult = jinjava.renderForResult(template, bindings); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad3")
@@ -41,8 +39,6 @@ public class JinJavaSSTI {
 		Map<String, Object> bindings = new HashMap<>();
 		JinjavaConfig renderConfig = new JinjavaConfig();
 
-		// RenderResult renderForResult (String template, Map<String, ?> bindings,
-		// JinjavaConfig renderConfig)
-		RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig);
+		RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig); // $hasTemplateInjection
 	}
 }
diff --git a/java/ql/test/query-tests/security/CWE-094/PebbleSSTI.java b/java/ql/test/query-tests/security/CWE-094/PebbleSSTI.java
index 13ed42a9b26..05ddc157ae1 100644
--- a/java/ql/test/query-tests/security/CWE-094/PebbleSSTI.java
+++ b/java/ql/test/query-tests/security/CWE-094/PebbleSSTI.java
@@ -17,14 +17,15 @@ public class PebbleSSTI {
 	public void bad1(HttpServletRequest request) {
 		String code = request.getParameter("code");
 		PebbleEngine engine = new PebbleEngine.Builder().build();
-		// public PebbleTemplate getTemplate(String templateName) 
-		PebbleTemplate compiledTemplate = engine.getTemplate(code);
+		// public PebbleTemplate getTemplate(String templateName)
+		PebbleTemplate compiledTemplate = engine.getTemplate(code); // $hasTemplateInjection
 	}
+
 	@GetMapping(value = "bad2")
 	public void bad2(HttpServletRequest request) {
 		String code = request.getParameter("code");
 		PebbleEngine engine = new PebbleEngine.Builder().build();
-		// public PebbleTemplate getLiteralTemplate(String templateName) 
-		PebbleTemplate compiledTemplate = engine.getLiteralTemplate(code);
+		// public PebbleTemplate getLiteralTemplate(String templateName)
+		PebbleTemplate compiledTemplate = engine.getLiteralTemplate(code); // $hasTemplateInjection
 	}
 }
diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjection.expected b/java/ql/test/query-tests/security/CWE-094/TemplateInjection.expected
deleted file mode 100644
index 8ae54f0b49f..00000000000
--- a/java/ql/test/query-tests/security/CWE-094/TemplateInjection.expected
+++ /dev/null
@@ -1,152 +0,0 @@
-edges
-| FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | FreemarkerSSTI.java:24:36:24:39 | code : String |
-| FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:27:35:27:40 | reader |
-| FreemarkerSSTI.java:24:36:24:39 | code : String | FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader |
-| FreemarkerSSTI.java:33:17:33:44 | getParameter(...) : String | FreemarkerSSTI.java:34:36:34:39 | code : String |
-| FreemarkerSSTI.java:34:19:34:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:38:35:38:40 | reader |
-| FreemarkerSSTI.java:34:36:34:39 | code : String | FreemarkerSSTI.java:34:19:34:40 | new StringReader(...) : StringReader |
-| FreemarkerSSTI.java:44:17:44:44 | getParameter(...) : String | FreemarkerSSTI.java:45:36:45:39 | code : String |
-| FreemarkerSSTI.java:45:19:45:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:50:35:50:40 | reader |
-| FreemarkerSSTI.java:45:36:45:39 | code : String | FreemarkerSSTI.java:45:19:45:40 | new StringReader(...) : StringReader |
-| FreemarkerSSTI.java:56:23:56:56 | getParameter(...) : String | FreemarkerSSTI.java:61:35:61:44 | sourceCode |
-| FreemarkerSSTI.java:67:17:67:44 | getParameter(...) : String | FreemarkerSSTI.java:69:36:69:39 | code : String |
-| FreemarkerSSTI.java:69:19:69:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:73:47:73:52 | reader |
-| FreemarkerSSTI.java:69:36:69:39 | code : String | FreemarkerSSTI.java:69:19:69:40 | new StringReader(...) : StringReader |
-| FreemarkerSSTI.java:79:17:79:44 | getParameter(...) : String | FreemarkerSSTI.java:82:36:82:39 | code : String |
-| FreemarkerSSTI.java:82:19:82:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:87:47:87:52 | reader |
-| FreemarkerSSTI.java:82:36:82:39 | code : String | FreemarkerSSTI.java:82:19:82:40 | new StringReader(...) : StringReader |
-| FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | FreemarkerSSTI.java:96:36:96:39 | code : String |
-| FreemarkerSSTI.java:96:19:96:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:100:47:100:52 | reader |
-| FreemarkerSSTI.java:96:36:96:39 | code : String | FreemarkerSSTI.java:96:19:96:40 | new StringReader(...) : StringReader |
-| FreemarkerSSTI.java:105:17:105:44 | getParameter(...) : String | FreemarkerSSTI.java:109:42:109:45 | code |
-| FreemarkerSSTI.java:114:17:114:44 | getParameter(...) : String | FreemarkerSSTI.java:119:42:119:45 | code |
-| FreemarkerSSTI.java:125:17:125:44 | getParameter(...) : String | FreemarkerSSTI.java:126:26:126:29 | code : String |
-| FreemarkerSSTI.java:126:9:126:12 | root [post update] [<map.value>] : String | FreemarkerSSTI.java:130:22:130:25 | root |
-| FreemarkerSSTI.java:126:26:126:29 | code : String | FreemarkerSSTI.java:126:9:126:12 | root [post update] [<map.value>] : String |
-| JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | JinJavaSSTI.java:25:44:25:51 | template |
-| JinJavaSSTI.java:30:21:30:52 | getParameter(...) : String | JinJavaSSTI.java:34:55:34:62 | template |
-| JinJavaSSTI.java:39:21:39:52 | getParameter(...) : String | JinJavaSSTI.java:46:55:46:62 | template |
-| PebbleSSTI.java:18:17:18:44 | getParameter(...) : String | PebbleSSTI.java:21:56:21:59 | code |
-| PebbleSSTI.java:25:17:25:44 | getParameter(...) : String | PebbleSSTI.java:28:63:28:66 | code |
-| ThymeleafSSTI.java:22:17:22:44 | getParameter(...) : String | ThymeleafSSTI.java:27:27:27:30 | code |
-| VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | VelocitySSTI.java:38:45:38:48 | code |
-| VelocitySSTI.java:44:17:44:44 | getParameter(...) : String | VelocitySSTI.java:50:42:50:45 | code : String |
-| VelocitySSTI.java:50:25:50:46 | new StringReader(...) : StringReader | VelocitySSTI.java:53:45:53:50 | reader |
-| VelocitySSTI.java:50:42:50:45 | code : String | VelocitySSTI.java:50:25:50:46 | new StringReader(...) : StringReader |
-| VelocitySSTI.java:59:17:59:44 | getParameter(...) : String | VelocitySSTI.java:62:42:62:45 | code : String |
-| VelocitySSTI.java:62:25:62:46 | new StringReader(...) : StringReader | VelocitySSTI.java:63:25:63:30 | reader |
-| VelocitySSTI.java:62:42:62:45 | code : String | VelocitySSTI.java:62:25:62:46 | new StringReader(...) : StringReader |
-| VelocitySSTI.java:69:17:69:44 | getParameter(...) : String | VelocitySSTI.java:72:23:72:26 | code : String |
-| VelocitySSTI.java:72:3:72:9 | context [post update] : AbstractContext | VelocitySSTI.java:77:21:77:27 | context |
-| VelocitySSTI.java:72:23:72:26 | code : String | VelocitySSTI.java:72:3:72:9 | context [post update] : AbstractContext |
-| VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | VelocitySSTI.java:86:23:86:26 | code : String |
-| VelocitySSTI.java:86:3:86:9 | context [post update] : AbstractContext | VelocitySSTI.java:90:52:90:58 | context |
-| VelocitySSTI.java:86:23:86:26 | code : String | VelocitySSTI.java:86:3:86:9 | context [post update] : AbstractContext |
-| VelocitySSTI.java:96:17:96:44 | getParameter(...) : String | VelocitySSTI.java:99:23:99:26 | code : String |
-| VelocitySSTI.java:99:3:99:9 | context [post update] : AbstractContext | VelocitySSTI.java:103:11:103:17 | context |
-| VelocitySSTI.java:99:23:99:26 | code : String | VelocitySSTI.java:99:3:99:9 | context [post update] : AbstractContext |
-| VelocitySSTI.java:109:17:109:44 | getParameter(...) : String | VelocitySSTI.java:112:23:112:26 | code : String |
-| VelocitySSTI.java:112:3:112:9 | context [post update] : AbstractContext | VelocitySSTI.java:116:11:116:17 | context |
-| VelocitySSTI.java:112:23:112:26 | code : String | VelocitySSTI.java:112:3:112:9 | context [post update] : AbstractContext |
-| VelocitySSTI.java:121:17:121:44 | getParameter(...) : String | VelocitySSTI.java:124:37:124:40 | code |
-nodes
-| FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
-| FreemarkerSSTI.java:24:36:24:39 | code : String | semmle.label | code : String |
-| FreemarkerSSTI.java:27:35:27:40 | reader | semmle.label | reader |
-| FreemarkerSSTI.java:33:17:33:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| FreemarkerSSTI.java:34:19:34:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
-| FreemarkerSSTI.java:34:36:34:39 | code : String | semmle.label | code : String |
-| FreemarkerSSTI.java:38:35:38:40 | reader | semmle.label | reader |
-| FreemarkerSSTI.java:44:17:44:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| FreemarkerSSTI.java:45:19:45:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
-| FreemarkerSSTI.java:45:36:45:39 | code : String | semmle.label | code : String |
-| FreemarkerSSTI.java:50:35:50:40 | reader | semmle.label | reader |
-| FreemarkerSSTI.java:56:23:56:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| FreemarkerSSTI.java:61:35:61:44 | sourceCode | semmle.label | sourceCode |
-| FreemarkerSSTI.java:67:17:67:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| FreemarkerSSTI.java:69:19:69:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
-| FreemarkerSSTI.java:69:36:69:39 | code : String | semmle.label | code : String |
-| FreemarkerSSTI.java:73:47:73:52 | reader | semmle.label | reader |
-| FreemarkerSSTI.java:79:17:79:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| FreemarkerSSTI.java:82:19:82:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
-| FreemarkerSSTI.java:82:36:82:39 | code : String | semmle.label | code : String |
-| FreemarkerSSTI.java:87:47:87:52 | reader | semmle.label | reader |
-| FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| FreemarkerSSTI.java:96:19:96:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
-| FreemarkerSSTI.java:96:36:96:39 | code : String | semmle.label | code : String |
-| FreemarkerSSTI.java:100:47:100:52 | reader | semmle.label | reader |
-| FreemarkerSSTI.java:105:17:105:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| FreemarkerSSTI.java:109:42:109:45 | code | semmle.label | code |
-| FreemarkerSSTI.java:114:17:114:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| FreemarkerSSTI.java:119:42:119:45 | code | semmle.label | code |
-| FreemarkerSSTI.java:125:17:125:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| FreemarkerSSTI.java:126:9:126:12 | root [post update] [<map.value>] : String | semmle.label | root [post update] [<map.value>] : String |
-| FreemarkerSSTI.java:126:26:126:29 | code : String | semmle.label | code : String |
-| FreemarkerSSTI.java:130:22:130:25 | root | semmle.label | root |
-| JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JinJavaSSTI.java:25:44:25:51 | template | semmle.label | template |
-| JinJavaSSTI.java:30:21:30:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JinJavaSSTI.java:34:55:34:62 | template | semmle.label | template |
-| JinJavaSSTI.java:39:21:39:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JinJavaSSTI.java:46:55:46:62 | template | semmle.label | template |
-| PebbleSSTI.java:18:17:18:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| PebbleSSTI.java:21:56:21:59 | code | semmle.label | code |
-| PebbleSSTI.java:25:17:25:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| PebbleSSTI.java:28:63:28:66 | code | semmle.label | code |
-| ThymeleafSSTI.java:22:17:22:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| ThymeleafSSTI.java:27:27:27:30 | code | semmle.label | code |
-| VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| VelocitySSTI.java:38:45:38:48 | code | semmle.label | code |
-| VelocitySSTI.java:44:17:44:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| VelocitySSTI.java:50:25:50:46 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
-| VelocitySSTI.java:50:42:50:45 | code : String | semmle.label | code : String |
-| VelocitySSTI.java:53:45:53:50 | reader | semmle.label | reader |
-| VelocitySSTI.java:59:17:59:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| VelocitySSTI.java:62:25:62:46 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
-| VelocitySSTI.java:62:42:62:45 | code : String | semmle.label | code : String |
-| VelocitySSTI.java:63:25:63:30 | reader | semmle.label | reader |
-| VelocitySSTI.java:69:17:69:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| VelocitySSTI.java:72:3:72:9 | context [post update] : AbstractContext | semmle.label | context [post update] : AbstractContext |
-| VelocitySSTI.java:72:23:72:26 | code : String | semmle.label | code : String |
-| VelocitySSTI.java:77:21:77:27 | context | semmle.label | context |
-| VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| VelocitySSTI.java:86:3:86:9 | context [post update] : AbstractContext | semmle.label | context [post update] : AbstractContext |
-| VelocitySSTI.java:86:23:86:26 | code : String | semmle.label | code : String |
-| VelocitySSTI.java:90:52:90:58 | context | semmle.label | context |
-| VelocitySSTI.java:96:17:96:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| VelocitySSTI.java:99:3:99:9 | context [post update] : AbstractContext | semmle.label | context [post update] : AbstractContext |
-| VelocitySSTI.java:99:23:99:26 | code : String | semmle.label | code : String |
-| VelocitySSTI.java:103:11:103:17 | context | semmle.label | context |
-| VelocitySSTI.java:109:17:109:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| VelocitySSTI.java:112:3:112:9 | context [post update] : AbstractContext | semmle.label | context [post update] : AbstractContext |
-| VelocitySSTI.java:112:23:112:26 | code : String | semmle.label | code : String |
-| VelocitySSTI.java:116:11:116:17 | context | semmle.label | context |
-| VelocitySSTI.java:121:17:121:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| VelocitySSTI.java:124:37:124:40 | code | semmle.label | code |
-subpaths
-#select
-| FreemarkerSSTI.java:27:35:27:40 | reader | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | FreemarkerSSTI.java:27:35:27:40 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) | a template value loaded from a remote source. |
-| FreemarkerSSTI.java:38:35:38:40 | reader | FreemarkerSSTI.java:33:17:33:44 | getParameter(...) : String | FreemarkerSSTI.java:38:35:38:40 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:33:17:33:44 | getParameter(...) | a template value loaded from a remote source. |
-| FreemarkerSSTI.java:50:35:50:40 | reader | FreemarkerSSTI.java:44:17:44:44 | getParameter(...) : String | FreemarkerSSTI.java:50:35:50:40 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:44:17:44:44 | getParameter(...) | a template value loaded from a remote source. |
-| FreemarkerSSTI.java:61:35:61:44 | sourceCode | FreemarkerSSTI.java:56:23:56:56 | getParameter(...) : String | FreemarkerSSTI.java:61:35:61:44 | sourceCode | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:56:23:56:56 | getParameter(...) | a template value loaded from a remote source. |
-| FreemarkerSSTI.java:73:47:73:52 | reader | FreemarkerSSTI.java:67:17:67:44 | getParameter(...) : String | FreemarkerSSTI.java:73:47:73:52 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:67:17:67:44 | getParameter(...) | a template value loaded from a remote source. |
-| FreemarkerSSTI.java:87:47:87:52 | reader | FreemarkerSSTI.java:79:17:79:44 | getParameter(...) : String | FreemarkerSSTI.java:87:47:87:52 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:79:17:79:44 | getParameter(...) | a template value loaded from a remote source. |
-| FreemarkerSSTI.java:100:47:100:52 | reader | FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | FreemarkerSSTI.java:100:47:100:52 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:93:17:93:44 | getParameter(...) | a template value loaded from a remote source. |
-| FreemarkerSSTI.java:109:42:109:45 | code | FreemarkerSSTI.java:105:17:105:44 | getParameter(...) : String | FreemarkerSSTI.java:109:42:109:45 | code | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:105:17:105:44 | getParameter(...) | a template value loaded from a remote source. |
-| FreemarkerSSTI.java:119:42:119:45 | code | FreemarkerSSTI.java:114:17:114:44 | getParameter(...) : String | FreemarkerSSTI.java:119:42:119:45 | code | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:114:17:114:44 | getParameter(...) | a template value loaded from a remote source. |
-| FreemarkerSSTI.java:130:22:130:25 | root | FreemarkerSSTI.java:125:17:125:44 | getParameter(...) : String | FreemarkerSSTI.java:130:22:130:25 | root | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:125:17:125:44 | getParameter(...) | a template value loaded from a remote source. |
-| JinJavaSSTI.java:25:44:25:51 | template | JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | JinJavaSSTI.java:25:44:25:51 | template | Potential arbitrary code execution due to $@. | JinJavaSSTI.java:21:21:21:52 | getParameter(...) | a template value loaded from a remote source. |
-| JinJavaSSTI.java:34:55:34:62 | template | JinJavaSSTI.java:30:21:30:52 | getParameter(...) : String | JinJavaSSTI.java:34:55:34:62 | template | Potential arbitrary code execution due to $@. | JinJavaSSTI.java:30:21:30:52 | getParameter(...) | a template value loaded from a remote source. |
-| JinJavaSSTI.java:46:55:46:62 | template | JinJavaSSTI.java:39:21:39:52 | getParameter(...) : String | JinJavaSSTI.java:46:55:46:62 | template | Potential arbitrary code execution due to $@. | JinJavaSSTI.java:39:21:39:52 | getParameter(...) | a template value loaded from a remote source. |
-| PebbleSSTI.java:21:56:21:59 | code | PebbleSSTI.java:18:17:18:44 | getParameter(...) : String | PebbleSSTI.java:21:56:21:59 | code | Potential arbitrary code execution due to $@. | PebbleSSTI.java:18:17:18:44 | getParameter(...) | a template value loaded from a remote source. |
-| PebbleSSTI.java:28:63:28:66 | code | PebbleSSTI.java:25:17:25:44 | getParameter(...) : String | PebbleSSTI.java:28:63:28:66 | code | Potential arbitrary code execution due to $@. | PebbleSSTI.java:25:17:25:44 | getParameter(...) | a template value loaded from a remote source. |
-| ThymeleafSSTI.java:27:27:27:30 | code | ThymeleafSSTI.java:22:17:22:44 | getParameter(...) : String | ThymeleafSSTI.java:27:27:27:30 | code | Potential arbitrary code execution due to $@. | ThymeleafSSTI.java:22:17:22:44 | getParameter(...) | a template value loaded from a remote source. |
-| VelocitySSTI.java:38:45:38:48 | code | VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | VelocitySSTI.java:38:45:38:48 | code | Potential arbitrary code execution due to $@. | VelocitySSTI.java:31:17:31:44 | getParameter(...) | a template value loaded from a remote source. |
-| VelocitySSTI.java:53:45:53:50 | reader | VelocitySSTI.java:44:17:44:44 | getParameter(...) : String | VelocitySSTI.java:53:45:53:50 | reader | Potential arbitrary code execution due to $@. | VelocitySSTI.java:44:17:44:44 | getParameter(...) | a template value loaded from a remote source. |
-| VelocitySSTI.java:63:25:63:30 | reader | VelocitySSTI.java:59:17:59:44 | getParameter(...) : String | VelocitySSTI.java:63:25:63:30 | reader | Potential arbitrary code execution due to $@. | VelocitySSTI.java:59:17:59:44 | getParameter(...) | a template value loaded from a remote source. |
-| VelocitySSTI.java:77:21:77:27 | context | VelocitySSTI.java:69:17:69:44 | getParameter(...) : String | VelocitySSTI.java:77:21:77:27 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:69:17:69:44 | getParameter(...) | a template value loaded from a remote source. |
-| VelocitySSTI.java:90:52:90:58 | context | VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | VelocitySSTI.java:90:52:90:58 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:83:17:83:44 | getParameter(...) | a template value loaded from a remote source. |
-| VelocitySSTI.java:103:11:103:17 | context | VelocitySSTI.java:96:17:96:44 | getParameter(...) : String | VelocitySSTI.java:103:11:103:17 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:96:17:96:44 | getParameter(...) | a template value loaded from a remote source. |
-| VelocitySSTI.java:116:11:116:17 | context | VelocitySSTI.java:109:17:109:44 | getParameter(...) : String | VelocitySSTI.java:116:11:116:17 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:109:17:109:44 | getParameter(...) | a template value loaded from a remote source. |
-| VelocitySSTI.java:124:37:124:40 | code | VelocitySSTI.java:121:17:121:44 | getParameter(...) : String | VelocitySSTI.java:124:37:124:40 | code | Potential arbitrary code execution due to $@. | VelocitySSTI.java:121:17:121:44 | getParameter(...) | a template value loaded from a remote source. |
diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjection.qlref b/java/ql/test/query-tests/security/CWE-094/TemplateInjection.qlref
deleted file mode 100644
index fabf9f17b8a..00000000000
--- a/java/ql/test/query-tests/security/CWE-094/TemplateInjection.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/CWE/CWE-094/TemplateInjection.ql
\ No newline at end of file
diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.expected b/java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.ql b/java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.ql
new file mode 100644
index 00000000000..b8bb1080f3f
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.ql
@@ -0,0 +1,20 @@
+import java
+import semmle.code.java.security.TemplateInjectionQuery
+import TestUtilities.InlineExpectationsTest
+
+class TemplateInjectionTest extends InlineExpectationsTest {
+  TemplateInjectionTest() { this = "TemplateInjectionTest" }
+
+  override string getARelevantTag() { result = "hasTemplateInjection" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasTemplateInjection" and
+    exists(DataFlow::Node src, DataFlow::Node sink, TemplateInjectionFlowConfig conf |
+      conf.hasFlow(src, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
diff --git a/java/ql/test/query-tests/security/CWE-094/ThymeleafSSTI.java b/java/ql/test/query-tests/security/CWE-094/ThymeleafSSTI.java
index 2b32a4603c7..b70266130b1 100644
--- a/java/ql/test/query-tests/security/CWE-094/ThymeleafSSTI.java
+++ b/java/ql/test/query-tests/security/CWE-094/ThymeleafSSTI.java
@@ -24,7 +24,7 @@ public class ThymeleafSSTI {
 		try {
 			FileWriter fw = new FileWriter(new File("as"));
 			TemplateEngine templateEngine = new TemplateEngine();
-			templateEngine.process(code, ctx, fw);
+			templateEngine.process(code, ctx, fw); // $hasTemplateInjection
 		} catch (Exception e) {
 		}
 	}
diff --git a/java/ql/test/query-tests/security/CWE-094/VelocitySSTI.java b/java/ql/test/query-tests/security/CWE-094/VelocitySSTI.java
index a8231fec12b..08c82852c25 100644
--- a/java/ql/test/query-tests/security/CWE-094/VelocitySSTI.java
+++ b/java/ql/test/query-tests/security/CWE-094/VelocitySSTI.java
@@ -34,8 +34,7 @@ public class VelocitySSTI {
 
 		String s = "We are using $project $name to render this.";
 		StringWriter w = new StringWriter();
-		// evaluate( Context context, Writer out, String logTag, String instring )
-		Velocity.evaluate(context, w, "mystring", code);
+		Velocity.evaluate(context, w, "mystring", code); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad2")
@@ -49,8 +48,7 @@ public class VelocitySSTI {
 		StringWriter w = new StringWriter();
 		StringReader reader = new StringReader(code);
 
-		// evaluate(Context context, Writer writer, String logTag, Reader reader)
-		Velocity.evaluate(context, w, "mystring", reader);
+		Velocity.evaluate(context, w, "mystring", reader); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad3")
@@ -60,7 +58,7 @@ public class VelocitySSTI {
 
 		RuntimeServices runtimeServices = null;
 		StringReader reader = new StringReader(code);
-		runtimeServices.parse(reader, new Template());
+		runtimeServices.parse(reader, new Template()); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad4")
@@ -74,7 +72,7 @@ public class VelocitySSTI {
 		StringWriter w = new StringWriter();
 		StringReader reader = new StringReader("test");
 
-		Velocity.evaluate(context, w, "mystring", reader);
+		Velocity.evaluate(context, w, "mystring", reader); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad5")
@@ -87,7 +85,7 @@ public class VelocitySSTI {
 
 		StringWriter w = new StringWriter();
 		VelocityEngine engine = null;
-		engine.mergeTemplate("testtemplate.vm", "UTF-8", context, w);
+		engine.mergeTemplate("testtemplate.vm", "UTF-8", context, w); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad6")
@@ -100,7 +98,7 @@ public class VelocitySSTI {
 
 		StringWriter w = new StringWriter();
 		Template t = new Template();
-		t.merge(context, w);
+		t.merge(context, w); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad7")
@@ -113,7 +111,7 @@ public class VelocitySSTI {
 
 		StringWriter w = new StringWriter();
 		Template t = new Template();
-		t.merge(context, w, new LinkedList<String>());
+		t.merge(context, w, new LinkedList<String>()); // $hasTemplateInjection
 	}
 
 	@GetMapping(value = "bad8")
@@ -121,7 +119,7 @@ public class VelocitySSTI {
 		String code = request.getParameter("code");
 
 		StringResourceRepository repo = new StringResourceRepositoryImpl();
-		repo.putStringResource("woogie2", code);
+		repo.putStringResource("woogie2", code); // $hasTemplateInjection
 
 	}
 }