Skip to content

Java: Introduce Freemarker for SSTI queries#6320

Open
japroc wants to merge 3 commits into
github:mainfrom
japroc:freemarker
Open

Java: Introduce Freemarker for SSTI queries#6320
japroc wants to merge 3 commits into
github:mainfrom
japroc:freemarker

Conversation

@japroc

@japroc japroc commented Jul 18, 2021

Copy link
Copy Markdown
Contributor

Hi team!

I want to add support for Freemarker template engine.
There is a Freemarker.qll library and 2 queries.

Query 1 - FreemarkerTaintedTemplate.ql
Search for cases when untrusted data is used as template. It may lead to remote code execution and information disclosure vulnerabilities.

Query 2 - FreemarkerUnsafeConfiguration.ql
Search for unsafe freemarker configurations. It is not critical by default. Although, when developers use builtin interpret filter on user-data, they will be executed as part of template. As i know it's impossible to analyze ftl files. As mitigation it's recommended to configure secure engine by 1) not enabling Builtin API, 2) setting class resolver to ALLOWS_NOTHING_RESOLVER.

Thanks,
Evgenii.

@japroc japroc requested a review from a team as a code owner July 18, 2021 18:30
@intrigus-lgtm

Copy link
Copy Markdown
Contributor

FYI: There is a similar PR #5935

@smowton

smowton commented Jul 19, 2021

Copy link
Copy Markdown
Contributor

In the event they differ enough: @japroc are you applying to the bounty program for this?

@japroc

japroc commented Jul 20, 2021

Copy link
Copy Markdown
Contributor Author

Hi @intrigus-lgtm and @smowton,

Unfortunately, i have not seen that PR (#5935) earlier. It looks similar. I think mine FreemarkerTaintedTemplate.ql covers same vulnerabilities.
Although this PR also contains FreemarkerUnsafeConfiguration.ql query. It's description is in first comment of this PR.

In the event they differ enough: @japroc are you applying to the bounty program for this?

Yes, i wanted to apply for bounty after some discussion

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

4 participants