Modify rule S5496: Add an how to fix session for Java and Groovy (APPSEC-1587) (#3900)

2024-04-23 14:15:29 +02:00 · 2024-04-23 14:15:29 +02:00 · ab6bf73b3f
commit ab6bf73b3f
parent def7b6c0ee
3 changed files with 69 additions and 19 deletions
--- a/docs/header_names/allowed_framework_names.adoc
+++ b/docs/header_names/allowed_framework_names.adoc
@ -24,31 +24,32 @@
 * Xerces
 * libxml2
 // Java
+* Android
 * Apache Commons
+* Apache Commons
+* Apache Commons Email
+* Apache HttpClient
+* Auth0 JWT
+* Commons Compiler
+* Dom4j
+* FasterXML
+* Groovy
+* Gson
+* Hibernate
+* Java Cryptography Extension
+* Java EE
+* Java JWT
+* Java SE
+* Jdom2
 * JSP
+* Legacy Mongo Java API
+* OkHttp
+* Realm
 * Servlet
 * Spring
 * Spring Data Redis
-* Thymeleaf
-* Java SE
-* Java EE
-* Hibernate
-* Apache Commons
-* Commons Compiler
-* Legacy Mongo Java API
-* FasterXML
-* Gson
-* Android
-* Dom4j
-* Jdom2
-* OkHttp
-* Java JWT
-* Auth0 JWT
-* Apache Commons Email
 * SQLCipher
-* Realm
-* Java Cryptography Extension
-* Apache HttpClient
+* Thymeleaf
 // JS
 * Flow.js
 * Node.js
--- a/rules/S5496/java/how-to-fix-it/groovy.adoc
+++ b/rules/S5496/java/how-to-fix-it/groovy.adoc
@ -0,0 +1,47 @@
+== How to fix it in Groovy
+
+=== Code examples
+
+==== Noncompliant code example
+
+The following code example is vulnerable to a Server-Side Template Injection
+attack because it builds a template string from a user input without control or
+sanitation.
+
+[source,java,diff-id=21,diff-type=noncompliant]
+----
+@GetMapping("/example")
+public String example(@RequestParam("title") String title) throws CompilationFailedException, ClassNotFoundException, IOException {
+    String templateString = "h1('" + title + "')";
+    TemplateConfiguration config = new TemplateConfiguration();         
+    MarkupTemplateEngine engine = new MarkupTemplateEngine(config);     
+    Template template = engine.createTemplate(templateString); // Noncompliant
+    Writable out = template.make();
+    return out.toString();
+}
+----
+
+==== Compliant solution
+
+[source,java,diff-id=21,diff-type=compliant]
+----
+@GetMapping("/example")
+public String example(@RequestParam("title") String title) throws CompilationFailedException, ClassNotFoundException, IOException {
+    String templateString = "h1(title)";
+
+    Map<String, Object> ctx = new HashMap<>();
+    ctx.put("title", title);
+
+    TemplateConfiguration config = new TemplateConfiguration();         
+    MarkupTemplateEngine engine = new MarkupTemplateEngine(config);     
+    Template template = engine.createTemplate(templateString);
+    Writable out = template.make(ctx);
+    return out.toString();
+}
+----
+
+=== How does this work?
+
+The compliant code example uses a template binding to pass user information to
+the template. The rendering engine then ensures that this tainted data is
+processed in a way that will not change the template semantics.
--- a/rules/S5496/java/rule.adoc
+++ b/rules/S5496/java/rule.adoc
@ -8,6 +8,8 @@ include::../impact.adoc[]

 include::how-to-fix-it/spring.adoc[]

+include::how-to-fix-it/groovy.adoc[]
+

 == Resources