Java : Add query to detect Server Side Template Injection

CVE

This query has not been tested against all lgtm projects. So, there is no CVE found using this PR.

Report

This query detects instances where user input is embedded in a template in an unsafe manner.

The PR adds support for multiple Java templating engines. As of now it covers

1. Velocity Templating Engine
2. Freemarker Templating Engine
3. Pebble Templating Engine

I also plan on including the Jinjava Templating Engine

The PR is as of now a WIP. I can't get the unit tests to run properly as the stubs for the libraries are not yet included. I had raised this concern over slack a few days back but I haven't received any responses yet.

Link to the PR:[github/codeql#3353]

[kevinbackhouse]

Hi @porcupineyhairs. It looks like this one hasn't made any progress since last year. Is it ok if I drop it from our bounty pipeline for now? You can resubmit it when it's ready.

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@kevinbackhouse Sorry, I totally forgot about this one. The query from a pure QL stand point is ready. It lacks documentation and tests. I would add them over the weekend and create a new tracking issue once done.

[kevinbackhouse]

Ok, sounds good. Hopefully all you need to do is put the "All For One" label back on this issue when it's ready. If that doesn't trigger the process automatically then ping me and I'll take a look.

@kevinbackhouse @xcorail Github shows this issue as open but the bot has closed this internally. Can you please check if this is still marked pending in the pipeline?

[smowton]

Per @pwntester please create a fresh application for this