hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use InlineExpectationsTest

Browse Source
This commit is contained in:
Tony Torralba
2022-09-08 13:42:25 +02:00
parent b68e6669b8
commit e311155acd
9 changed files with 54 additions and 207 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
java/ql/test/query-tests/security/CWE-094/FreemarkerSSTI.java
View File

@@ -23,8 +23,7 @@ public class FreemarkerSSTI {
String code = request.getParameter("code");
Reader reader = new StringReader(code);
// Template(java.lang.String name, java.io.Reader reader)
Template t = new Template(name, reader);
Template t = new Template(name, reader); // $hasTemplateInjection
}
@GetMapping(value = "bad2")
@@ -33,9 +32,8 @@ public class FreemarkerSSTI {
String code = request.getParameter("code");
Reader reader = new StringReader(code);
Configuration cfg = new Configuration();
// Template(java.lang.String name, java.io.Reader reader, Configuration cfg)
Template t = new Template(name, reader, cfg);
Template t = new Template(name, reader, cfg); // $hasTemplateInjection
}
@GetMapping(value = "bad3")
@@ -45,9 +43,7 @@ public class FreemarkerSSTI {
Reader reader = new StringReader(code);
Configuration cfg = new Configuration();
// Template(java.lang.String name, java.io.Reader reader, Configuration cfg,
// java.lang.String encoding)
Template t = new Template(name, reader, cfg, "UTF-8");
Template t = new Template(name, reader, cfg, "UTF-8"); // $hasTemplateInjection
}
@GetMapping(value = "bad4")
@@ -56,9 +52,7 @@ public class FreemarkerSSTI {
String sourceCode = request.getParameter("sourceCode");
Configuration cfg = new Configuration();
// Template(java.lang.String name, java.lang.String sourceCode, Configuration
// cfg)
Template t = new Template(name, sourceCode, cfg);
Template t = new Template(name, sourceCode, cfg); // $hasTemplateInjection
}
@GetMapping(value = "bad5")
@@ -68,9 +62,7 @@ public class FreemarkerSSTI {
Configuration cfg = new Configuration();
Reader reader = new StringReader(code);
// Template(java.lang.String name, java.lang.String sourceName, java.io.Reader
// reader, Configuration cfg)
Template t = new Template(name, sourceName, reader, cfg);
Template t = new Template(name, sourceName, reader, cfg); // $hasTemplateInjection
}
@GetMapping(value = "bad6")
@@ -81,10 +73,8 @@ public class FreemarkerSSTI {
ParserConfiguration customParserConfiguration = new Configuration();
Reader reader = new StringReader(code);
// Template(java.lang.String name, java.lang.String sourceName, java.io.Reader
// reader, Configuration cfg, ParserConfiguration customParserConfiguration,
// java.lang.String encoding)
Template t = new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8");
Template t =
new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8"); // $hasTemplateInjection
}
@GetMapping(value = "bad7")
@@ -95,9 +85,7 @@ public class FreemarkerSSTI {
ParserConfiguration customParserConfiguration = new Configuration();
Reader reader = new StringReader(code);
// Template(java.lang.String name, java.lang.String sourceName, java.io.Reader
// reader, Configuration cfg, java.lang.String encoding)
Template t = new Template(name, sourceName, reader, cfg, "UTF-8");
Template t = new Template(name, sourceName, reader, cfg, "UTF-8"); // $hasTemplateInjection
}
@GetMapping(value = "bad8")
@@ -105,28 +93,25 @@ public class FreemarkerSSTI {
String code = request.getParameter("code");
StringTemplateLoader stringLoader = new StringTemplateLoader();
// void putTemplate(java.lang.String name, java.lang.String templateContent)
stringLoader.putTemplate("myTemplate", code);
stringLoader.putTemplate("myTemplate", code); // $hasTemplateInjection
}
@GetMapping(value = "bad9")
public void bad9(HttpServletRequest request) {
String code = request.getParameter("code");
StringTemplateLoader stringLoader = new StringTemplateLoader();
// void putTemplate(java.lang.String name, java.lang.String templateContent,
// long lastModified)
stringLoader.putTemplate("myTemplate", code, 0);
stringLoader.putTemplate("myTemplate", code, 0); // $hasTemplateInjection
}
@GetMapping(value = "bad10")
public void bad10(HttpServletRequest request) {
HashMap<Object,Object> root = new HashMap();
HashMap<Object, Object> root = new HashMap();
String code = request.getParameter("code");
root.put("code", code);
root.put("code", code);
Configuration cfg = new Configuration();
Template temp = cfg.getTemplate("test.ftlh");
OutputStreamWriter out = new OutputStreamWriter(System.out);
temp.process(root, out);
Template temp = cfg.getTemplate("test.ftlh");
OutputStreamWriter out = new OutputStreamWriter(System.out);
temp.process(root, out); // $hasTemplateInjection
}
}

10
java/ql/test/query-tests/security/CWE-094/JinJavaSSTI.java
View File

@@ -21,8 +21,7 @@ public class JinJavaSSTI {
String template = request.getParameter("template");
Jinjava jinjava = new Jinjava();
Map<String, Object> context = new HashMap<>();
// String render(String template, Map<String, ?> bindings)
String renderedTemplate = jinjava.render(template, context);
String renderedTemplate = jinjava.render(template, context); // $hasTemplateInjection
}
@GetMapping(value = "bad2")
@@ -30,8 +29,7 @@ public class JinJavaSSTI {
String template = request.getParameter("template");
Jinjava jinjava = new Jinjava();
Map<String, Object> bindings = new HashMap<>();
// RenderResult renderForResult (String template, Map<String, ?> bindings)
RenderResult renderResult = jinjava.renderForResult(template, bindings);
RenderResult renderResult = jinjava.renderForResult(template, bindings); // $hasTemplateInjection
}
@GetMapping(value = "bad3")
@@ -41,8 +39,6 @@ public class JinJavaSSTI {
Map<String, Object> bindings = new HashMap<>();
JinjavaConfig renderConfig = new JinjavaConfig();
// RenderResult renderForResult (String template, Map<String, ?> bindings,
// JinjavaConfig renderConfig)
RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig);
RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig); // $hasTemplateInjection
}
}

9
java/ql/test/query-tests/security/CWE-094/PebbleSSTI.java
View File

@@ -17,14 +17,15 @@ public class PebbleSSTI {
public void bad1(HttpServletRequest request) {
String code = request.getParameter("code");
PebbleEngine engine = new PebbleEngine.Builder().build();
// public PebbleTemplate getTemplate(String templateName)
PebbleTemplate compiledTemplate = engine.getTemplate(code);
// public PebbleTemplate getTemplate(String templateName)
PebbleTemplate compiledTemplate = engine.getTemplate(code); // $hasTemplateInjection
}
@GetMapping(value = "bad2")
public void bad2(HttpServletRequest request) {
String code = request.getParameter("code");
PebbleEngine engine = new PebbleEngine.Builder().build();
// public PebbleTemplate getLiteralTemplate(String templateName)
PebbleTemplate compiledTemplate = engine.getLiteralTemplate(code);
// public PebbleTemplate getLiteralTemplate(String templateName)
PebbleTemplate compiledTemplate = engine.getLiteralTemplate(code); // $hasTemplateInjection
}
}

152
java/ql/test/query-tests/security/CWE-094/TemplateInjection.expected
View File

@@ -1,152 +0,0 @@
edges
| FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | FreemarkerSSTI.java:24:36:24:39 | code : String |
| FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:27:35:27:40 | reader |
| FreemarkerSSTI.java:24:36:24:39 | code : String | FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:33:17:33:44 | getParameter(...) : String | FreemarkerSSTI.java:34:36:34:39 | code : String |
| FreemarkerSSTI.java:34:19:34:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:38:35:38:40 | reader |
| FreemarkerSSTI.java:34:36:34:39 | code : String | FreemarkerSSTI.java:34:19:34:40 | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:44:17:44:44 | getParameter(...) : String | FreemarkerSSTI.java:45:36:45:39 | code : String |
| FreemarkerSSTI.java:45:19:45:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:50:35:50:40 | reader |
| FreemarkerSSTI.java:45:36:45:39 | code : String | FreemarkerSSTI.java:45:19:45:40 | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:56:23:56:56 | getParameter(...) : String | FreemarkerSSTI.java:61:35:61:44 | sourceCode |
| FreemarkerSSTI.java:67:17:67:44 | getParameter(...) : String | FreemarkerSSTI.java:69:36:69:39 | code : String |
| FreemarkerSSTI.java:69:19:69:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:73:47:73:52 | reader |
| FreemarkerSSTI.java:69:36:69:39 | code : String | FreemarkerSSTI.java:69:19:69:40 | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:79:17:79:44 | getParameter(...) : String | FreemarkerSSTI.java:82:36:82:39 | code : String |
| FreemarkerSSTI.java:82:19:82:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:87:47:87:52 | reader |
| FreemarkerSSTI.java:82:36:82:39 | code : String | FreemarkerSSTI.java:82:19:82:40 | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | FreemarkerSSTI.java:96:36:96:39 | code : String |
| FreemarkerSSTI.java:96:19:96:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:100:47:100:52 | reader |
| FreemarkerSSTI.java:96:36:96:39 | code : String | FreemarkerSSTI.java:96:19:96:40 | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:105:17:105:44 | getParameter(...) : String | FreemarkerSSTI.java:109:42:109:45 | code |
| FreemarkerSSTI.java:114:17:114:44 | getParameter(...) : String | FreemarkerSSTI.java:119:42:119:45 | code |
| FreemarkerSSTI.java:125:17:125:44 | getParameter(...) : String | FreemarkerSSTI.java:126:26:126:29 | code : String |
| FreemarkerSSTI.java:126:9:126:12 | root [post update] [<map.value>] : String | FreemarkerSSTI.java:130:22:130:25 | root |
| FreemarkerSSTI.java:126:26:126:29 | code : String | FreemarkerSSTI.java:126:9:126:12 | root [post update] [<map.value>] : String |
| JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | JinJavaSSTI.java:25:44:25:51 | template |
| JinJavaSSTI.java:30:21:30:52 | getParameter(...) : String | JinJavaSSTI.java:34:55:34:62 | template |
| JinJavaSSTI.java:39:21:39:52 | getParameter(...) : String | JinJavaSSTI.java:46:55:46:62 | template |
| PebbleSSTI.java:18:17:18:44 | getParameter(...) : String | PebbleSSTI.java:21:56:21:59 | code |
| PebbleSSTI.java:25:17:25:44 | getParameter(...) : String | PebbleSSTI.java:28:63:28:66 | code |
| ThymeleafSSTI.java:22:17:22:44 | getParameter(...) : String | ThymeleafSSTI.java:27:27:27:30 | code |
| VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | VelocitySSTI.java:38:45:38:48 | code |
| VelocitySSTI.java:44:17:44:44 | getParameter(...) : String | VelocitySSTI.java:50:42:50:45 | code : String |
| VelocitySSTI.java:50:25:50:46 | new StringReader(...) : StringReader | VelocitySSTI.java:53:45:53:50 | reader |
| VelocitySSTI.java:50:42:50:45 | code : String | VelocitySSTI.java:50:25:50:46 | new StringReader(...) : StringReader |
| VelocitySSTI.java:59:17:59:44 | getParameter(...) : String | VelocitySSTI.java:62:42:62:45 | code : String |
| VelocitySSTI.java:62:25:62:46 | new StringReader(...) : StringReader | VelocitySSTI.java:63:25:63:30 | reader |
| VelocitySSTI.java:62:42:62:45 | code : String | VelocitySSTI.java:62:25:62:46 | new StringReader(...) : StringReader |
| VelocitySSTI.java:69:17:69:44 | getParameter(...) : String | VelocitySSTI.java:72:23:72:26 | code : String |
| VelocitySSTI.java:72:3:72:9 | context [post update] : AbstractContext | VelocitySSTI.java:77:21:77:27 | context |
| VelocitySSTI.java:72:23:72:26 | code : String | VelocitySSTI.java:72:3:72:9 | context [post update] : AbstractContext |
| VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | VelocitySSTI.java:86:23:86:26 | code : String |
| VelocitySSTI.java:86:3:86:9 | context [post update] : AbstractContext | VelocitySSTI.java:90:52:90:58 | context |
| VelocitySSTI.java:86:23:86:26 | code : String | VelocitySSTI.java:86:3:86:9 | context [post update] : AbstractContext |
| VelocitySSTI.java:96:17:96:44 | getParameter(...) : String | VelocitySSTI.java:99:23:99:26 | code : String |
| VelocitySSTI.java:99:3:99:9 | context [post update] : AbstractContext | VelocitySSTI.java:103:11:103:17 | context |
| VelocitySSTI.java:99:23:99:26 | code : String | VelocitySSTI.java:99:3:99:9 | context [post update] : AbstractContext |
| VelocitySSTI.java:109:17:109:44 | getParameter(...) : String | VelocitySSTI.java:112:23:112:26 | code : String |
| VelocitySSTI.java:112:3:112:9 | context [post update] : AbstractContext | VelocitySSTI.java:116:11:116:17 | context |
| VelocitySSTI.java:112:23:112:26 | code : String | VelocitySSTI.java:112:3:112:9 | context [post update] : AbstractContext |
| VelocitySSTI.java:121:17:121:44 | getParameter(...) : String | VelocitySSTI.java:124:37:124:40 | code |
nodes
| FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:24:36:24:39 | code : String | semmle.label | code : String |
| FreemarkerSSTI.java:27:35:27:40 | reader | semmle.label | reader |
| FreemarkerSSTI.java:33:17:33:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:34:19:34:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:34:36:34:39 | code : String | semmle.label | code : String |
| FreemarkerSSTI.java:38:35:38:40 | reader | semmle.label | reader |
| FreemarkerSSTI.java:44:17:44:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:45:19:45:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:45:36:45:39 | code : String | semmle.label | code : String |
| FreemarkerSSTI.java:50:35:50:40 | reader | semmle.label | reader |
| FreemarkerSSTI.java:56:23:56:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:61:35:61:44 | sourceCode | semmle.label | sourceCode |
| FreemarkerSSTI.java:67:17:67:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:69:19:69:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:69:36:69:39 | code : String | semmle.label | code : String |
| FreemarkerSSTI.java:73:47:73:52 | reader | semmle.label | reader |
| FreemarkerSSTI.java:79:17:79:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:82:19:82:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:82:36:82:39 | code : String | semmle.label | code : String |
| FreemarkerSSTI.java:87:47:87:52 | reader | semmle.label | reader |
| FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:96:19:96:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| FreemarkerSSTI.java:96:36:96:39 | code : String | semmle.label | code : String |
| FreemarkerSSTI.java:100:47:100:52 | reader | semmle.label | reader |
| FreemarkerSSTI.java:105:17:105:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:109:42:109:45 | code | semmle.label | code |
| FreemarkerSSTI.java:114:17:114:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:119:42:119:45 | code | semmle.label | code |
| FreemarkerSSTI.java:125:17:125:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FreemarkerSSTI.java:126:9:126:12 | root [post update] [<map.value>] : String | semmle.label | root [post update] [<map.value>] : String |
| FreemarkerSSTI.java:126:26:126:29 | code : String | semmle.label | code : String |
| FreemarkerSSTI.java:130:22:130:25 | root | semmle.label | root |
| JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JinJavaSSTI.java:25:44:25:51 | template | semmle.label | template |
| JinJavaSSTI.java:30:21:30:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JinJavaSSTI.java:34:55:34:62 | template | semmle.label | template |
| JinJavaSSTI.java:39:21:39:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JinJavaSSTI.java:46:55:46:62 | template | semmle.label | template |
| PebbleSSTI.java:18:17:18:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| PebbleSSTI.java:21:56:21:59 | code | semmle.label | code |
| PebbleSSTI.java:25:17:25:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| PebbleSSTI.java:28:63:28:66 | code | semmle.label | code |
| ThymeleafSSTI.java:22:17:22:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| ThymeleafSSTI.java:27:27:27:30 | code | semmle.label | code |
| VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| VelocitySSTI.java:38:45:38:48 | code | semmle.label | code |
| VelocitySSTI.java:44:17:44:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| VelocitySSTI.java:50:25:50:46 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| VelocitySSTI.java:50:42:50:45 | code : String | semmle.label | code : String |
| VelocitySSTI.java:53:45:53:50 | reader | semmle.label | reader |
| VelocitySSTI.java:59:17:59:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| VelocitySSTI.java:62:25:62:46 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| VelocitySSTI.java:62:42:62:45 | code : String | semmle.label | code : String |
| VelocitySSTI.java:63:25:63:30 | reader | semmle.label | reader |
| VelocitySSTI.java:69:17:69:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| VelocitySSTI.java:72:3:72:9 | context [post update] : AbstractContext | semmle.label | context [post update] : AbstractContext |
| VelocitySSTI.java:72:23:72:26 | code : String | semmle.label | code : String |
| VelocitySSTI.java:77:21:77:27 | context | semmle.label | context |
| VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| VelocitySSTI.java:86:3:86:9 | context [post update] : AbstractContext | semmle.label | context [post update] : AbstractContext |
| VelocitySSTI.java:86:23:86:26 | code : String | semmle.label | code : String |
| VelocitySSTI.java:90:52:90:58 | context | semmle.label | context |
| VelocitySSTI.java:96:17:96:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| VelocitySSTI.java:99:3:99:9 | context [post update] : AbstractContext | semmle.label | context [post update] : AbstractContext |
| VelocitySSTI.java:99:23:99:26 | code : String | semmle.label | code : String |
| VelocitySSTI.java:103:11:103:17 | context | semmle.label | context |
| VelocitySSTI.java:109:17:109:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| VelocitySSTI.java:112:3:112:9 | context [post update] : AbstractContext | semmle.label | context [post update] : AbstractContext |
| VelocitySSTI.java:112:23:112:26 | code : String | semmle.label | code : String |
| VelocitySSTI.java:116:11:116:17 | context | semmle.label | context |
| VelocitySSTI.java:121:17:121:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| VelocitySSTI.java:124:37:124:40 | code | semmle.label | code |
subpaths
#select
| FreemarkerSSTI.java:27:35:27:40 | reader | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | FreemarkerSSTI.java:27:35:27:40 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) | a template value loaded from a remote source. |
| FreemarkerSSTI.java:38:35:38:40 | reader | FreemarkerSSTI.java:33:17:33:44 | getParameter(...) : String | FreemarkerSSTI.java:38:35:38:40 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:33:17:33:44 | getParameter(...) | a template value loaded from a remote source. |
| FreemarkerSSTI.java:50:35:50:40 | reader | FreemarkerSSTI.java:44:17:44:44 | getParameter(...) : String | FreemarkerSSTI.java:50:35:50:40 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:44:17:44:44 | getParameter(...) | a template value loaded from a remote source. |
| FreemarkerSSTI.java:61:35:61:44 | sourceCode | FreemarkerSSTI.java:56:23:56:56 | getParameter(...) : String | FreemarkerSSTI.java:61:35:61:44 | sourceCode | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:56:23:56:56 | getParameter(...) | a template value loaded from a remote source. |
| FreemarkerSSTI.java:73:47:73:52 | reader | FreemarkerSSTI.java:67:17:67:44 | getParameter(...) : String | FreemarkerSSTI.java:73:47:73:52 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:67:17:67:44 | getParameter(...) | a template value loaded from a remote source. |
| FreemarkerSSTI.java:87:47:87:52 | reader | FreemarkerSSTI.java:79:17:79:44 | getParameter(...) : String | FreemarkerSSTI.java:87:47:87:52 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:79:17:79:44 | getParameter(...) | a template value loaded from a remote source. |
| FreemarkerSSTI.java:100:47:100:52 | reader | FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | FreemarkerSSTI.java:100:47:100:52 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:93:17:93:44 | getParameter(...) | a template value loaded from a remote source. |
| FreemarkerSSTI.java:109:42:109:45 | code | FreemarkerSSTI.java:105:17:105:44 | getParameter(...) : String | FreemarkerSSTI.java:109:42:109:45 | code | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:105:17:105:44 | getParameter(...) | a template value loaded from a remote source. |
| FreemarkerSSTI.java:119:42:119:45 | code | FreemarkerSSTI.java:114:17:114:44 | getParameter(...) : String | FreemarkerSSTI.java:119:42:119:45 | code | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:114:17:114:44 | getParameter(...) | a template value loaded from a remote source. |
| FreemarkerSSTI.java:130:22:130:25 | root | FreemarkerSSTI.java:125:17:125:44 | getParameter(...) : String | FreemarkerSSTI.java:130:22:130:25 | root | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:125:17:125:44 | getParameter(...) | a template value loaded from a remote source. |
| JinJavaSSTI.java:25:44:25:51 | template | JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | JinJavaSSTI.java:25:44:25:51 | template | Potential arbitrary code execution due to $@. | JinJavaSSTI.java:21:21:21:52 | getParameter(...) | a template value loaded from a remote source. |
| JinJavaSSTI.java:34:55:34:62 | template | JinJavaSSTI.java:30:21:30:52 | getParameter(...) : String | JinJavaSSTI.java:34:55:34:62 | template | Potential arbitrary code execution due to $@. | JinJavaSSTI.java:30:21:30:52 | getParameter(...) | a template value loaded from a remote source. |
| JinJavaSSTI.java:46:55:46:62 | template | JinJavaSSTI.java:39:21:39:52 | getParameter(...) : String | JinJavaSSTI.java:46:55:46:62 | template | Potential arbitrary code execution due to $@. | JinJavaSSTI.java:39:21:39:52 | getParameter(...) | a template value loaded from a remote source. |
| PebbleSSTI.java:21:56:21:59 | code | PebbleSSTI.java:18:17:18:44 | getParameter(...) : String | PebbleSSTI.java:21:56:21:59 | code | Potential arbitrary code execution due to $@. | PebbleSSTI.java:18:17:18:44 | getParameter(...) | a template value loaded from a remote source. |
| PebbleSSTI.java:28:63:28:66 | code | PebbleSSTI.java:25:17:25:44 | getParameter(...) : String | PebbleSSTI.java:28:63:28:66 | code | Potential arbitrary code execution due to $@. | PebbleSSTI.java:25:17:25:44 | getParameter(...) | a template value loaded from a remote source. |
| ThymeleafSSTI.java:27:27:27:30 | code | ThymeleafSSTI.java:22:17:22:44 | getParameter(...) : String | ThymeleafSSTI.java:27:27:27:30 | code | Potential arbitrary code execution due to $@. | ThymeleafSSTI.java:22:17:22:44 | getParameter(...) | a template value loaded from a remote source. |
| VelocitySSTI.java:38:45:38:48 | code | VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | VelocitySSTI.java:38:45:38:48 | code | Potential arbitrary code execution due to $@. | VelocitySSTI.java:31:17:31:44 | getParameter(...) | a template value loaded from a remote source. |
| VelocitySSTI.java:53:45:53:50 | reader | VelocitySSTI.java:44:17:44:44 | getParameter(...) : String | VelocitySSTI.java:53:45:53:50 | reader | Potential arbitrary code execution due to $@. | VelocitySSTI.java:44:17:44:44 | getParameter(...) | a template value loaded from a remote source. |
| VelocitySSTI.java:63:25:63:30 | reader | VelocitySSTI.java:59:17:59:44 | getParameter(...) : String | VelocitySSTI.java:63:25:63:30 | reader | Potential arbitrary code execution due to $@. | VelocitySSTI.java:59:17:59:44 | getParameter(...) | a template value loaded from a remote source. |
| VelocitySSTI.java:77:21:77:27 | context | VelocitySSTI.java:69:17:69:44 | getParameter(...) : String | VelocitySSTI.java:77:21:77:27 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:69:17:69:44 | getParameter(...) | a template value loaded from a remote source. |
| VelocitySSTI.java:90:52:90:58 | context | VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | VelocitySSTI.java:90:52:90:58 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:83:17:83:44 | getParameter(...) | a template value loaded from a remote source. |
| VelocitySSTI.java:103:11:103:17 | context | VelocitySSTI.java:96:17:96:44 | getParameter(...) : String | VelocitySSTI.java:103:11:103:17 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:96:17:96:44 | getParameter(...) | a template value loaded from a remote source. |
| VelocitySSTI.java:116:11:116:17 | context | VelocitySSTI.java:109:17:109:44 | getParameter(...) : String | VelocitySSTI.java:116:11:116:17 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:109:17:109:44 | getParameter(...) | a template value loaded from a remote source. |
| VelocitySSTI.java:124:37:124:40 | code | VelocitySSTI.java:121:17:121:44 | getParameter(...) : String | VelocitySSTI.java:124:37:124:40 | code | Potential arbitrary code execution due to $@. | VelocitySSTI.java:121:17:121:44 | getParameter(...) | a template value loaded from a remote source. |

1
java/ql/test/query-tests/security/CWE-094/TemplateInjection.qlref
View File

@@ -1 +0,0 @@
Security/CWE/CWE-094/TemplateInjection.ql

0
java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.expected Normal file
View File

20
java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.ql Normal file
View File

@@ -0,0 +1,20 @@
import java
import semmle.code.java.security.TemplateInjectionQuery
import TestUtilities.InlineExpectationsTest
class TemplateInjectionTest extends InlineExpectationsTest {
TemplateInjectionTest() { this = "TemplateInjectionTest" }
override string getARelevantTag() { result = "hasTemplateInjection" }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasTemplateInjection" and
exists(DataFlow::Node src, DataFlow::Node sink, TemplateInjectionFlowConfig conf |
conf.hasFlow(src, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

2
java/ql/test/query-tests/security/CWE-094/ThymeleafSSTI.java
View File

@@ -24,7 +24,7 @@ public class ThymeleafSSTI {
try {
FileWriter fw = new FileWriter(new File("as"));
TemplateEngine templateEngine = new TemplateEngine();
templateEngine.process(code, ctx, fw);
templateEngine.process(code, ctx, fw); // $hasTemplateInjection
} catch (Exception e) {
}
}

18
java/ql/test/query-tests/security/CWE-094/VelocitySSTI.java
View File

@@ -34,8 +34,7 @@ public class VelocitySSTI {
String s = "We are using $project $name to render this.";
StringWriter w = new StringWriter();
// evaluate( Context context, Writer out, String logTag, String instring )
Velocity.evaluate(context, w, "mystring", code);
Velocity.evaluate(context, w, "mystring", code); // $hasTemplateInjection
}
@GetMapping(value = "bad2")
@@ -49,8 +48,7 @@ public class VelocitySSTI {
StringWriter w = new StringWriter();
StringReader reader = new StringReader(code);
// evaluate(Context context, Writer writer, String logTag, Reader reader)
Velocity.evaluate(context, w, "mystring", reader);
Velocity.evaluate(context, w, "mystring", reader); // $hasTemplateInjection
}
@GetMapping(value = "bad3")
@@ -60,7 +58,7 @@ public class VelocitySSTI {
RuntimeServices runtimeServices = null;
StringReader reader = new StringReader(code);
runtimeServices.parse(reader, new Template());
runtimeServices.parse(reader, new Template()); // $hasTemplateInjection
}
@GetMapping(value = "bad4")
@@ -74,7 +72,7 @@ public class VelocitySSTI {
StringWriter w = new StringWriter();
StringReader reader = new StringReader("test");
Velocity.evaluate(context, w, "mystring", reader);
Velocity.evaluate(context, w, "mystring", reader); // $hasTemplateInjection
}
@GetMapping(value = "bad5")
@@ -87,7 +85,7 @@ public class VelocitySSTI {
StringWriter w = new StringWriter();
VelocityEngine engine = null;
engine.mergeTemplate("testtemplate.vm", "UTF-8", context, w);
engine.mergeTemplate("testtemplate.vm", "UTF-8", context, w); // $hasTemplateInjection
}
@GetMapping(value = "bad6")
@@ -100,7 +98,7 @@ public class VelocitySSTI {
StringWriter w = new StringWriter();
Template t = new Template();
t.merge(context, w);
t.merge(context, w); // $hasTemplateInjection
}
@GetMapping(value = "bad7")
@@ -113,7 +111,7 @@ public class VelocitySSTI {
StringWriter w = new StringWriter();
Template t = new Template();
t.merge(context, w, new LinkedList<String>());
t.merge(context, w, new LinkedList<String>()); // $hasTemplateInjection
}
@GetMapping(value = "bad8")
@@ -121,7 +119,7 @@ public class VelocitySSTI {
String code = request.getParameter("code");
StringResourceRepository repo = new StringResourceRepositoryImpl();
repo.putStringResource("woogie2", code);
repo.putStringResource("woogie2", code); // $hasTemplateInjection
}
}