Skip to content

Java : Add query to detect Server Side Template Injection #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ghost opened this issue May 21, 2020 · 6 comments
Closed

Java : Add query to detect Server Side Template Injection #94

ghost opened this issue May 21, 2020 · 6 comments

Comments

@ghost
Copy link

ghost commented May 21, 2020
edited by ghost
Loading

CVE

This query has not been tested against all lgtm projects. So, there is no CVE found using this PR.

Report

This query detects instances where user input is embedded in a template in an unsafe manner.

The PR adds support for multiple Java templating engines. As of now it covers

  1. Velocity Templating Engine
  2. Freemarker Templating Engine
  3. Pebble Templating Engine

I also plan on including the Jinjava Templating Engine

The PR is as of now a WIP. I can't get the unit tests to run properly as the stubs for the libraries are not yet included. I had raised this concern over slack a few days back but I haven't received any responses yet.

Link to the PR:[github/codeql#3353]
@ghost ghost added the All For One Submissions to the All for One, One for All bounty label May 21, 2020
@kevinbackhouse
Copy link
Contributor

Hi @porcupineyhairs. It looks like this one hasn't made any progress since last year. Is it ok if I drop it from our bounty pipeline for now? You can resubmit it when it's ready.

@kevinbackhouse kevinbackhouse removed the All For One Submissions to the All for One, One for All bounty label Jan 14, 2021
@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@ghost
Copy link
Author

ghost commented Jan 14, 2021

@kevinbackhouse Sorry, I totally forgot about this one. The query from a pure QL stand point is ready. It lacks documentation and tests. I would add them over the weekend and create a new tracking issue once done.

@kevinbackhouse
Copy link
Contributor

Ok, sounds good. Hopefully all you need to do is put the "All For One" label back on this issue when it's ready. If that doesn't trigger the process automatically then ping me and I'll take a look.

@ghost ghost mentioned this issue Jul 19, 2021
Merged
@ghost
Copy link
Author

ghost commented Jul 20, 2021

@kevinbackhouse @xcorail Github shows this issue as open but the bot has closed this internally. Can you please check if this is still marked pending in the pipeline?

@smowton
Copy link

smowton commented Jul 20, 2021

Per @pwntester please create a fresh application for this

@smowton smowton closed this as completed Jul 20, 2021
@ghost ghost mentioned this issue Jul 21, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@smowton @kevinbackhouse @ghsecuritylab