rspec/rules/S5496/java/how-to-fix-it/groovy.adoc

== How to fix it in Groovy

=== Code examples

==== Noncompliant code example

The following code example is vulnerable to a Server-Side Template Injection
attack because it builds a template string from a user input without control or
sanitation.

[source,java,diff-id=21,diff-type=noncompliant]
----
@GetMapping("/example")
public String example(@RequestParam("title") String title) throws CompilationFailedException, ClassNotFoundException, IOException {
    String templateString = "h1('" + title + "')";
    TemplateConfiguration config = new TemplateConfiguration();         
    MarkupTemplateEngine engine = new MarkupTemplateEngine(config);     
    Template template = engine.createTemplate(templateString); // Noncompliant
    Writable out = template.make();
    return out.toString();
}
----

==== Compliant solution

[source,java,diff-id=21,diff-type=compliant]
----
@GetMapping("/example")
public String example(@RequestParam("title") String title) throws CompilationFailedException, ClassNotFoundException, IOException {
    String templateString = "h1(title)";

    Map<String, Object> ctx = new HashMap<>();
    ctx.put("title", title);

    TemplateConfiguration config = new TemplateConfiguration();         
    MarkupTemplateEngine engine = new MarkupTemplateEngine(config);     
    Template template = engine.createTemplate(templateString);
    Writable out = template.make(ctx);
    return out.toString();
}
----

=== How does this work?

The compliant code example uses a template binding to pass user information to
the template. The rendering engine then ensures that this tainted data is
processed in a way that will not change the template semantics.
Modify rule S5496: Add an how to fix session for Java and Groovy (APPSEC-1587) (#3900) 2024-04-23 14:15:29 +02:00			`== How to fix it in Groovy`

			`=== Code examples`

			`==== Noncompliant code example`

			`The following code example is vulnerable to a Server-Side Template Injection`
			`attack because it builds a template string from a user input without control or`
			`sanitation.`

			`[source,java,diff-id=21,diff-type=noncompliant]`
			`----`
			`@GetMapping("/example")`
			`public String example(@RequestParam("title") String title) throws CompilationFailedException, ClassNotFoundException, IOException {`
			`String templateString = "h1('" + title + "')";`
			`TemplateConfiguration config = new TemplateConfiguration();`
			`MarkupTemplateEngine engine = new MarkupTemplateEngine(config);`
			`Template template = engine.createTemplate(templateString); // Noncompliant`
			`Writable out = template.make();`
			`return out.toString();`
			`}`
			`----`

			`==== Compliant solution`

			`[source,java,diff-id=21,diff-type=compliant]`
			`----`
			`@GetMapping("/example")`
			`public String example(@RequestParam("title") String title) throws CompilationFailedException, ClassNotFoundException, IOException {`
			`String templateString = "h1(title)";`

			`Map<String, Object> ctx = new HashMap<>();`
			`ctx.put("title", title);`

			`TemplateConfiguration config = new TemplateConfiguration();`
			`MarkupTemplateEngine engine = new MarkupTemplateEngine(config);`
			`Template template = engine.createTemplate(templateString);`
			`Writable out = template.make(ctx);`
			`return out.toString();`
			`}`
			`----`

			`=== How does this work?`

			`The compliant code example uses a template binding to pass user information to`
			`the template. The rendering engine then ensures that this tainted data is`
			`processed in a way that will not change the template semantics.`