From fb13e7f307ceb1b948db82b8acded3ea49d81846 Mon Sep 17 00:00:00 2001 From: Tony Torralba Date: Thu, 8 Sep 2022 13:56:56 +0200 Subject: [PATCH] Docs changes --- .../semmle/code/java/frameworks/Velocity.qll | 2 +- .../CWE/CWE-094/TemplateInjection.qhelp | 55 ++++++++++--------- .../Security/CWE/CWE-094/TemplateInjection.ql | 3 +- 3 files changed, 31 insertions(+), 29 deletions(-) diff --git a/java/ql/lib/semmle/code/java/frameworks/Velocity.qll b/java/ql/lib/semmle/code/java/frameworks/Velocity.qll index b3142843c47..98c6acd60d4 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Velocity.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Velocity.qll @@ -1,4 +1,4 @@ -/** Definitions related to the Apache Velocity Templating library. */ +/** Definitions related to the Apache Velocity templating library. */ import java private import semmle.code.java.dataflow.ExternalFlow diff --git a/java/ql/src/Security/CWE/CWE-094/TemplateInjection.qhelp b/java/ql/src/Security/CWE/CWE-094/TemplateInjection.qhelp index 882e9cecab1..970ffdcdf94 100644 --- a/java/ql/src/Security/CWE/CWE-094/TemplateInjection.qhelp +++ b/java/ql/src/Security/CWE/CWE-094/TemplateInjection.qhelp @@ -1,31 +1,32 @@ - -

- Template Injection occurs when user input is embedded in a template in an unsafe manner. - An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side. This permits the attacker to run arbitrary code in the server's context.

- - -

- To fix this, ensure that an untrusted value is not used as a template. If the application requirements do not allow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited. -

- - -

- In the example given below, an untrusted HTTP parameter - code - is used as a Velocity template string. This can lead to remote code execution. -

- + +

+Template Injection occurs when user input is embedded in a template's code in an unsafe manner. +An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side. +This permits the attacker to run arbitrary code in the server's context. +

+ + +

+To fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this, +use a sandboxed environment where access to unsafe attributes and methods is prohibited. +

+ + +

+In the example given below, an untrusted HTTP parameter code is used as a Velocity template string. +This can lead to remote code execution. +

+ -

- In the next example the problem is avoided by using a fixed template string - s - . Since, the template is not attacker controlled in this case, we prevent untrusted code execution. -

- - - -
  • Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)
    • -     +

    +In the next example the problem is avoided by using a fixed template string s. +Since the template's code is not attacker-controlled in this case, the untrusted code execution is prevented. +

    + +     + +
  • Portswigger: Server Side Template Injection
    • +         \ No newline at end of file diff --git a/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql b/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql index a9e276834de..da7a3908bfd 100644 --- a/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql +++ b/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql @@ -1,11 +1,12 @@ /** * @name Server-side template injection - * @description Untrusted input used as a template parameter can lead to remote code execution. + * @description Untrusted input interpreted as a template can lead to remote code execution. * @kind path-problem * @problem.severity error * @precision high * @id java/server-side-template-injection * @tags security + * external/cwe/cwe-1336 * external/cwe/cwe-094 */