Skip to content

Java : Add query to detect Server Side Template Injection (SSTI) #410

Closed
Closed
Java : Add query to detect Server Side Template Injection (SSTI)#410
Labels
All For OneSubmissions to the All for One, One for All bounty
@ghost

Description

@ghost
ghost
opened on Jul 21, 2021

CVE

This query has not been tested against all lgtm projects. So, there is no CVE found using this PR.

Description

This is a continuation of the now closed issue #94.

This query detects instances where user input is embedded in a template in an unsafe manner.
The PR adds support for multiple Java templating engines. As of now it covers :

  • Velocity Templating Engine
  • Freemarker Templating Engine
  • Pebble Templating Engine
  • Jinjava Templating Engine
  • MVEL Templating Engine
  • Thymeleaf Templating Engine

Link to the PR: github/codeql#5935

Metadata

Metadata

Assignees

No one assigned

    Labels

    All For OneSubmissions to the All for One, One for All bounty

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions