CVE ID(s)
This has not been run against LGTM projects yet.
Report
An unrestricted view name manipulation in Spring Framework can be dangerous.
Consider the snippet shown below.
@GetMapping("/path")
public String path(@RequestParam String lang) {
return "user/" + lang + "/welcome"; //template path is tainted
}
@GetMapping("/fragment")
public String fragment(@RequestParam String section) {
return "welcome :: " + section; //fragment is tainted
}The first case may contain a potential path traversal vulnerability, but a user is limited to the 'templates' folder on the server and cannot view any files outside it.
Unfortuantely, before loading the template from the filesystem, Spring ThymeleafView class parses the template name as an expression:
try {
// By parsing it as a standard expression, we might profit from the expression cache
fragmentExpression = (FragmentExpression) parser.parseExpression(context, "~{" + viewTemplateName + "}");
}So, the aforementioned controllers may be exploited not by path traversal, but by expression language injection. The detailed approach for exploiting these type of bugs can be found in this report by Veracode.
This is a critical severity issue as whenever untrusted data comes to a view name returned from the controller, it could lead to expression language injection and therefore to Remote Code Execution.
This PR adds a query to test for the same.
Link to corresponding PR: github/codeql#4214
Result(s)
I can't name a true positive off the top of my head. However, my query should throw a few alerts on the examples included in Veracode's research paper on View Manipulation Vulnerabilitites.
CVE ID(s)
This has not been run against LGTM projects yet.
Report
An unrestricted view name manipulation in Spring Framework can be dangerous.
Consider the snippet shown below.
The first case may contain a potential path traversal vulnerability, but a user is limited to the 'templates' folder on the server and cannot view any files outside it.
Unfortuantely, before loading the template from the filesystem, Spring ThymeleafView class parses the template name as an expression:
So, the aforementioned controllers may be exploited not by path traversal, but by expression language injection. The detailed approach for exploiting these type of bugs can be found in this report by Veracode.
This is a critical severity issue as whenever untrusted data comes to a view name returned from the controller, it could lead to expression language injection and therefore to Remote Code Execution.
This PR adds a query to test for the same.
Link to corresponding PR: github/codeql#4214
Result(s)
I can't name a true positive off the top of my head. However, my query should throw a few alerts on the examples included in Veracode's research paper on View Manipulation Vulnerabilitites.