Java : Add query to detect Server Side Template Injection (SSTI)

CVE

This query has not been tested against all lgtm projects. So, there is no CVE found using this PR.

Description

This is a continuation of the now closed issue #94.

This query detects instances where user input is embedded in a template in an unsafe manner.
The PR adds support for multiple Java templating engines. As of now it covers :

• Velocity Templating Engine
• Freemarker Templating Engine
• Pebble Templating Engine
• Jinjava Templating Engine
• MVEL Templating Engine
• Thymeleaf Templating Engine

Link to the PR: github/codeql#5935

[antonio-morales]

Hi @porcupineyhairs

in order to meet the new submission criteria, you need to support your submission with a CVE mapping (old or new) not previously covered by any existing CodeQL query. See https://securitylab.github.com/bounties for more details.

Can you provide a valid result for this query?

Regards,
Antonio.

@antonio-morales This ticket was filed before the changes were made so this should ideally be considered under the earlier rules. Anyways, I cant find many open source CVEs but I can see this has been detected in multiple closed source projects. Here are some details I can find.

1. Youtrack SSTI
2. Ofbiz SSTI CVE-2016-4462
3. Yahoo Spring SSTI
4. Camel CVE-2020-11994

@antonio-morales I have found even more CVE's which should be detected by this but I can't generate a database as the build fails for one reason or the other. But there is one CVE-2020-24621 which can be easily replicated.

The build for that particular commit fails but I was somehow able to get a database created by excluding a few modules. To replicate please follow the steps below.

1. checkout commit 444e0c599fd896fd24ccc71946b35ca24a6ca1f2
2. run rm -rf ~/temp/mrs-htmlformentry-db;codeql database create ~/temp/mrs-htmlformentry-db --language=java --command='mvn -Dskiptests clean install -pl api,api-1.9,api-1.10,api-2.0,api-2.2,omod'

The query can then be run as is. There should be exactly one detection confirming the bug.

I am attaching the database here just in case. mrs-htmlformentry-db.zip

@ghsecuritylab any updates on this one?

[ghsecuritylab]

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[antonio-morales]

@porcupineyhairs your submission is now in the last stage

[ghsecuritylab]

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Created Hackerone report 1490372 for bounty 370969 : [410] Java : Add query to detect Server Side Template Injection (SSTI)

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed