ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5496/java/how-to-fix-it/spring.adoc
github-actions[bot] 846d6c7568
Create rule S5496: Server-side templates should not be vulnerable to injection attacks (#3861) 
* Add java to rule S5496

* Add S5496 for Java

* Adjustments based on review

* Fix to make asciidoc tests pass

---------

Co-authored-by: daniel-teuchert-sonarsource <daniel-teuchert-sonarsource@users.noreply.github.com>
Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com>
Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>
2024-04-18 15:26:08 +02:00

49 lines
2.0 KiB
Plaintext
Raw Blame History

== How to fix it in Spring
=== Code examples
The following code examples assume that the `tainted` variable is controlled by an attacker and is not sanitized before being used in the template. For instance, consider the following endpoint that could be defined within a Spring controller:
[source,java]
----
@GetMapping("/example")
public String noncompliant(@RequestParam String tainted, Map<String, Object> model) {
model.put("tainted", tainted);
return "template";
}
----
==== Noncompliant code example
The following code example is vulnerable to a Server-Side Template Injection (SSTI) attack if the `tainted` variable is not sanitized before being used in the `th:text` attribute. The `&lowbar;&lowbar;&dollar;&lcub;&period;&period;&period;&rcub;&lowbar;&lowbar;` syntax indicates that this variable should be preprocessed by Thymeleaf before being used in the template. If the `tainted` variable is controlled by an attacker, they can inject arbitrary code into the template.
[source,html,diff-id=11,diff-type=noncompliant]
----
<!DOCTYPE HTML>
<html xmlns:th="http://www.thymeleaf.org">
<body>
<span th:text="${__${tainted}__}"></span> <!-- Noncompliant -->
</div>
</body>
</html>
----
==== Compliant solution
[source,html,diff-id=11,diff-type=compliant]
----
<!DOCTYPE HTML>
<html xmlns:th="http://www.thymeleaf.org">
<body>
<span th:text="${tainted}"></span>
</div>
</body>
</html>
----
=== How does this work?
The compliant code example does not use preprocessing so that the `tainted` variable will be directly inserted into the template, which prevents an attacker from injecting arbitrary code into the template.
==== Thymeleaf's Built-in Security Measures
It is worth noting that since Thymeleaf version 3.0.12, expressions are executed in a sandboxed environment where only a limited set of classes and methods are available. While this might make it harder to exploit SSTI vulnerabilities, it does not make it impossible and there might be unknown bypasses which could still allow attackers to execute arbitrary code.
Reference in New Issue View Git Blame Copy Permalink