Skip to content

Commit 409a123

Browse files
atorralbaatorralba
committed
Tainting the velocity context isn't exploitable
1 parent d748fb5 commit 409a123

File tree

4 files changed

+14
-42
lines changed

4 files changed

+14
-42
lines changed

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -117,7 +117,6 @@ private module Frameworks {
117117
private import semmle.code.java.frameworks.Retrofit
118118
private import semmle.code.java.frameworks.Stream
119119
private import semmle.code.java.frameworks.Strings
120-
private import semmle.code.java.frameworks.Velocity
121120
private import semmle.code.java.frameworks.ratpack.Ratpack
122121
private import semmle.code.java.frameworks.ratpack.RatpackExec
123122
private import semmle.code.java.frameworks.spring.SpringCache

java/ql/lib/semmle/code/java/frameworks/Velocity.qll

Lines changed: 0 additions & 14 deletions
This file was deleted.

java/ql/lib/semmle/code/java/security/TemplateInjection.qll

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -89,18 +89,14 @@ private class TemplateInjectionSinkModels extends SinkModelCsv {
8989
"com.hubspot.jinjava;Jinjava;true;render;;;Argument[0];ssti;manual",
9090
"org.thymeleaf;ITemplateEngine;true;process;;;Argument[0];ssti;manual",
9191
"org.thymeleaf;ITemplateEngine;true;processThrottled;;;Argument[0];ssti;manual",
92-
"org.apache.velocity.app;Velocity;true;evaluate;;;Argument[0];ssti;manual",
9392
"org.apache.velocity.app;Velocity;true;evaluate;;;Argument[3];ssti;manual",
9493
"org.apache.velocity.app;Velocity;true;mergeTemplate;;;Argument[2];ssti;manual",
95-
"org.apache.velocity.app;VelocityEngine;true;evaluate;;;Argument[0];ssti;manual",
9694
"org.apache.velocity.app;VelocityEngine;true;evaluate;;;Argument[3];ssti;manual",
9795
"org.apache.velocity.app;VelocityEngine;true;mergeTemplate;;;Argument[2];ssti;manual",
9896
"org.apache.velocity.runtime.resource.util;StringResourceRepository;true;putStringResource;;;Argument[1];ssti;manual",
99-
"org.apache.velocity.runtime;RuntimeServices;true;evaluate;;;Argument[0];ssti;manual",
10097
"org.apache.velocity.runtime;RuntimeServices;true;evaluate;;;Argument[3];ssti;manual",
10198
"org.apache.velocity.runtime;RuntimeServices;true;parse;;;Argument[0];ssti;manual",
102-
"org.apache.velocity.runtime;RuntimeSingleton;true;parse;;;Argument[0];ssti;manual",
103-
"org.apache.velocity;Template;true;merge;;;Argument[0];ssti;manual"
99+
"org.apache.velocity.runtime;RuntimeSingleton;true;parse;;;Argument[0];ssti;manual"
104100
]
105101
}
106102
}

java/ql/test/query-tests/security/CWE-094/VelocitySSTI.java

Lines changed: 13 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -61,8 +61,8 @@ public void bad3(HttpServletRequest request) {
6161
runtimeServices.parse(reader, new Template()); // $hasTemplateInjection
6262
}
6363

64-
@GetMapping(value = "bad4")
65-
public void bad4(HttpServletRequest request) {
64+
@GetMapping(value = "good1")
65+
public void good1(HttpServletRequest request) {
6666
String name = "ttemplate";
6767
String code = request.getParameter("code");
6868

@@ -72,7 +72,7 @@ public void bad4(HttpServletRequest request) {
7272
StringWriter w = new StringWriter();
7373
StringReader reader = new StringReader("test");
7474

75-
Velocity.evaluate(context, w, "mystring", reader); // $hasTemplateInjection
75+
Velocity.evaluate(context, w, "mystring", reader); // Safe
7676
}
7777

7878
@GetMapping(value = "bad5")
@@ -85,15 +85,17 @@ public void bad5(HttpServletRequest request) {
8585

8686
StringWriter w = new StringWriter();
8787
VelocityEngine engine = null;
88-
engine.mergeTemplate("testtemplate.vm", "UTF-8", context, w); // $hasTemplateInjection
88+
engine.mergeTemplate("testtemplate.vm", "UTF-8", context, w); // Safe
8989
AbstractContext ctx = null;
9090
ctx.put("key", code);
91-
engine.evaluate(ctx, null, null, null); // $hasTemplateInjection
91+
engine.evaluate(ctx, null, null, (String) null); // Safe
92+
engine.evaluate(ctx, null, null, (Reader) null); // Safe
9293
engine.evaluate(null, null, null, code); // $hasTemplateInjection
94+
engine.evaluate(null, null, null, new StringReader(code)); // $hasTemplateInjection
9395
}
9496

95-
@GetMapping(value = "bad6")
96-
public void bad6(HttpServletRequest request) {
97+
@GetMapping(value = "good2")
98+
public void good2(HttpServletRequest request) {
9799
String name = "ttemplate";
98100
String code = request.getParameter("code");
99101

@@ -102,24 +104,13 @@ public void bad6(HttpServletRequest request) {
102104

103105
StringWriter w = new StringWriter();
104106
Template t = new Template();
105-
t.merge(context, w); // $hasTemplateInjection
106-
}
107-
108-
@GetMapping(value = "bad7")
109-
public void bad7(HttpServletRequest request) {
110-
String name = "ttemplate";
111-
String code = request.getParameter("code");
107+
t.merge(context, w); // Safe
108+
t.merge(context, w, new LinkedList<String>()); // Safe
112109

113-
VelocityContext context = new VelocityContext();
114-
context.put("code", code);
115-
116-
StringWriter w = new StringWriter();
117-
Template t = new Template();
118-
t.merge(context, w, new LinkedList<String>()); // $hasTemplateInjection
119110
}
120111

121-
@GetMapping(value = "bad8")
122-
public void bad8(HttpServletRequest request) {
112+
@GetMapping(value = "bad6")
113+
public void bad6(HttpServletRequest request) {
123114
String code = request.getParameter("code");
124115

125116
StringResourceRepository repo = new StringResourceRepositoryImpl();

0 commit comments

Comments
 (0)