Tainting the freemarker dataModel isn't exploitable

atorralba · atorralba · commit 79a32f1a3e1f · 2022-09-12T14:22:06.000+02:00
diff --git a/java/ql/lib/semmle/code/java/security/TemplateInjection.qll b/java/ql/lib/semmle/code/java/security/TemplateInjection.qll
@@ -74,7 +74,6 @@ private class TemplateInjectionSinkModels extends SinkModelCsv {
   override predicate row(string row) {
     row =
       [
-        "freemarker.template;Template;true;process;;;Argument[0];ssti;manual",
         "freemarker.template;Template;true;Template;(String,Reader);;Argument[1];ssti;manual",
         "freemarker.template;Template;true;Template;(String,Reader,Configuration);;Argument[1];ssti;manual",
         "freemarker.template;Template;true;Template;(String,Reader,Configuration,String);;Argument[1];ssti;manual",
diff --git a/java/ql/test/query-tests/security/CWE-094/FreemarkerSSTI.java b/java/ql/test/query-tests/security/CWE-094/FreemarkerSSTI.java
@@ -104,14 +104,14 @@ public void bad9(HttpServletRequest request) {
 		stringLoader.putTemplate("myTemplate", code, 0); // $hasTemplateInjection
 	}
 
-	@GetMapping(value = "bad10")
-	public void bad10(HttpServletRequest request) {
+	@GetMapping(value = "good1")
+	public void good1(HttpServletRequest request) {
 		HashMap<Object, Object> root = new HashMap();
 		String code = request.getParameter("code");
 		root.put("code", code);
 		Configuration cfg = new Configuration();
 		Template temp = cfg.getTemplate("test.ftlh");
 		OutputStreamWriter out = new OutputStreamWriter(System.out);
-		temp.process(root, out); // $hasTemplateInjection
+		temp.process(root, out); // Safe
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,6 @@ private class TemplateInjectionSinkModels extends SinkModelCsv {`
`74`	`74`	`override predicate row(string row) {`
`75`	`75`	`row =`
`76`	`76`	`[`
`77`		`- "freemarker.template;Template;true;process;;;Argument[0];ssti;manual",`
`78`	`77`	`"freemarker.template;Template;true;Template;(String,Reader);;Argument[1];ssti;manual",`
`79`	`78`	`"freemarker.template;Template;true;Template;(String,Reader,Configuration);;Argument[1];ssti;manual",`
`80`	`79`	`"freemarker.template;Template;true;Template;(String,Reader,Configuration,String);;Argument[1];ssti;manual",`
Original file line number	Diff line number	Diff line change
`@@ -104,14 +104,14 @@ public void bad9(HttpServletRequest request) {`
`104`	`104`	`stringLoader.putTemplate("myTemplate", code, 0); // $hasTemplateInjection`
`105`	`105`	`}`
`106`	`106`
`107`		`- @GetMapping(value = "bad10")`
`108`		`- public void bad10(HttpServletRequest request) {`
	`107`	`+ @GetMapping(value = "good1")`
	`108`	`+ public void good1(HttpServletRequest request) {`
`109`	`109`	`HashMap<Object, Object> root = new HashMap();`
`110`	`110`	`String code = request.getParameter("code");`
`111`	`111`	`root.put("code", code);`
`112`	`112`	`Configuration cfg = new Configuration();`
`113`	`113`	`Template temp = cfg.getTemplate("test.ftlh");`
`114`	`114`	`OutputStreamWriter out = new OutputStreamWriter(System.out);`
`115`		`- temp.process(root, out); // $hasTemplateInjection`
	`115`	`+ temp.process(root, out); // Safe`
`116`	`116`	`}`
`117`	`117`	`}`