Fix SSTI vulnerability in FreemarkerTemplateEngine and add security test case

AT190510-Cuong · AT190510-Cuong · commit 34458a356915 · 2025-10-23T10:30:10.000+07:00
diff --git a/integrationtests/.project b/integrationtests/.project
@@ -14,4 +14,15 @@
 	<natures>
 		<nature>org.eclipse.m2e.core.maven2Nature</nature>
 	</natures>
+	<filteredResources>
+		<filter>
+			<id>1761187845433</id>
+			<name></name>
+			<type>30</type>
+			<matcher>
+				<id>org.eclipse.core.resources.regexFilterMatcher</id>
+				<arguments>node_modules|\.git|__CREATED_BY_JAVA_LANGUAGE_SERVER__</arguments>
+			</matcher>
+		</filter>
+	</filteredResources>
 </projectDescription>
diff --git a/template/fr.opensagres.xdocreport.template.freemarker/src/main/java/fr/opensagres/xdocreport/template/freemarker/FreemarkerTemplateEngine.java b/template/fr.opensagres.xdocreport.template.freemarker/src/main/java/fr/opensagres/xdocreport/template/freemarker/FreemarkerTemplateEngine.java
@@ -33,6 +33,7 @@
 import java.util.Enumeration;
 import java.util.List;
 import java.util.Map;
+import java.util.regex.Pattern;
 
 import fr.opensagres.xdocreport.core.EncodingConstants;
 import fr.opensagres.xdocreport.core.XDocReportException;
@@ -116,8 +117,14 @@ protected void processWithCache( String templateName, IContext context, Writer w
     protected void processNoCache( String templateName, IContext context, Reader reader, Writer writer )
         throws XDocReportException, IOException
     {
-        // Create a new template.
-        Template template = new Template( templateName, getReader( reader ), getFreemarkerConfiguration() );
+        // Read template content for validation and processing
+        String templateContent = IOUtils.toString(reader);
+        
+        // Validate template content for security threats
+        validateTemplateSecurity(new StringReader(templateContent));
+        
+        // Create a new template with validated content, but let getReader handle any modifications
+        Template template = new Template( templateName, getReader( new StringReader(templateContent) ), getFreemarkerConfiguration() );
         // Merge template with Java model
         process( context, writer, template );
     }
@@ -294,8 +301,14 @@ public void process( String templateName, IContext context, Writer writer )
 
         try
         {
-            // Create a new template.
-            Template template = new Template( templateName, reader, getFreemarkerConfiguration() );
+            // Read template content for validation and processing
+            String templateContent = IOUtils.toString(reader);
+            
+            // Validate template content for security threats
+            validateTemplateSecurity(new StringReader(templateContent));
+            
+            // Create a new template with validated content, but let getReader handle any modifications
+            Template template = new Template( templateName, getReader( new StringReader(templateContent) ), getFreemarkerConfiguration() );
             // Merge template with Java model
             process( context, writer, template );
         }
@@ -323,4 +336,33 @@ public void addTemplateLoader( TemplateLoader loader )
     {
         templateLoaders.add( loader );
     }
+
+    /**
+     * Validate template content for security threats.
+     * This method checks for dangerous patterns that could lead to SSTI attacks.
+     * 
+     * @param reader the template reader to validate
+     * @throws XDocReportException if dangerous patterns are found
+     * @throws IOException if reading fails
+     */
+    private void validateTemplateSecurity(Reader reader) throws XDocReportException, IOException {
+        String templateSource = IOUtils.toString(reader);
+        
+        String[] dangerousPatterns = {
+            "freemarker.template.utility.Execute",
+            "java.lang.Runtime",
+            "java.lang.ProcessBuilder",
+            "java.lang.System",
+            "java.lang.reflect",
+            "?new",
+            "?eval",
+            "?api"
+        };
+        
+        for (String pattern : dangerousPatterns) {
+            if (templateSource.matches("(?i).*" + Pattern.quote(pattern) + ".*")) {
+                throw new XDocReportException("Security violation: forbidden pattern '" + pattern + "'");
+            }
+        }
+    }
 }
diff --git a/template/fr.opensagres.xdocreport.template.freemarker/src/test/java/fr/opensagres/xdocreport/template/freemarker/FreemarkerTemplateEngineSecurityTestCase.java b/template/fr.opensagres.xdocreport.template.freemarker/src/test/java/fr/opensagres/xdocreport/template/freemarker/FreemarkerTemplateEngineSecurityTestCase.java
@@ -0,0 +1,217 @@
+/**
+ * Copyright (C) 2011-2015 The XDocReport Team <xdocreport@googlegroups.com>
+ *
+ * All rights reserved.
+ *
+ * Permission is hereby granted, free  of charge, to any person obtaining
+ * a  copy  of this  software  and  associated  documentation files  (the
+ * "Software"), to  deal in  the Software without  restriction, including
+ * without limitation  the rights to  use, copy, modify,  merge, publish,
+ * distribute,  sublicense, and/or sell  copies of  the Software,  and to
+ * permit persons to whom the Software  is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The  above  copyright  notice  and  this permission  notice  shall  be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
+ * EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
+ * MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+package fr.opensagres.xdocreport.template.freemarker;
+
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.io.Writer;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import fr.opensagres.xdocreport.core.XDocReportException;
+import fr.opensagres.xdocreport.template.IContext;
+
+/**
+ * Test case for FreemarkerTemplateEngine security validation.
+ * This test verifies that SSTI (Server-Side Template Injection) attacks are properly blocked.
+ */
+public class FreemarkerTemplateEngineSecurityTestCase
+{
+
+    @Test
+    public void testSSTIProtectionExecuteClass()
+        throws Exception
+    {
+        FreemarkerTemplateEngine engine = new FreemarkerTemplateEngine();
+        IContext context = engine.createContext();
+        Writer writer = new StringWriter();
+        
+        // This is the exact payload from the user's example
+        String maliciousTemplate = "${"freemarker.template.utility.Execute"?new()("whoami")}";
+        
+        try
+        {
+            engine.processNoCache( "test", context, new StringReader( maliciousTemplate ), writer );
+            Assert.fail( "Expected XDocReportException for SSTI attack" );
+        }
+        catch ( XDocReportException e )
+        {
+            Assert.assertTrue( "Exception should mention security violation", 
+                e.getMessage().contains( "Security violation" ) );
+            Assert.assertTrue( "Exception should mention forbidden pattern", 
+                e.getMessage().contains( "forbidden pattern" ) );
+        }
+    }
+
+    @Test
+    public void testSSTIProtectionNewOperator()
+        throws Exception
+    {
+        FreemarkerTemplateEngine engine = new FreemarkerTemplateEngine();
+        IContext context = engine.createContext();
+        Writer writer = new StringWriter();
+        
+        // Test ?new operator detection
+        String maliciousTemplate = "${someClass?new()}";
+        
+        try
+        {
+            engine.processNoCache( "test", context, new StringReader( maliciousTemplate ), writer );
+            Assert.fail( "Expected XDocReportException for ?new operator" );
+        }
+        catch ( XDocReportException e )
+        {
+            Assert.assertTrue( "Exception should mention security violation", 
+                e.getMessage().contains( "Security violation" ) );
+            Assert.assertTrue( "Exception should mention forbidden pattern", 
+                e.getMessage().contains( "forbidden pattern" ) );
+        }
+    }
+
+    @Test
+    public void testSSTIProtectionRuntimeClass()
+        throws Exception
+    {
+        FreemarkerTemplateEngine engine = new FreemarkerTemplateEngine();
+        IContext context = engine.createContext();
+        Writer writer = new StringWriter();
+        
+        // Test Runtime class detection
+        String maliciousTemplate = "${java.lang.Runtime.getRuntime().exec('whoami')}";
+        
+        try
+        {
+            engine.processNoCache( "test", context, new StringReader( maliciousTemplate ), writer );
+            Assert.fail( "Expected XDocReportException for Runtime class" );
+        }
+        catch ( XDocReportException e )
+        {
+            Assert.assertTrue( "Exception should mention security violation", 
+                e.getMessage().contains( "Security violation" ) );
+            Assert.assertTrue( "Exception should mention forbidden pattern", 
+                e.getMessage().contains( "forbidden pattern" ) );
+        }
+    }
+
+    @Test
+    public void testSSTIProtectionProcessBuilderClass()
+        throws Exception
+    {
+        FreemarkerTemplateEngine engine = new FreemarkerTemplateEngine();
+        IContext context = engine.createContext();
+        Writer writer = new StringWriter();
+        
+        // Test ProcessBuilder class detection
+        String maliciousTemplate = "${java.lang.ProcessBuilder?new('whoami').start()}";
+        
+        try
+        {
+            engine.processNoCache( "test", context, new StringReader( maliciousTemplate ), writer );
+            Assert.fail( "Expected XDocReportException for ProcessBuilder class" );
+        }
+        catch ( XDocReportException e )
+        {
+            Assert.assertTrue( "Exception should mention security violation", 
+                e.getMessage().contains( "Security violation" ) );
+            Assert.assertTrue( "Exception should mention forbidden pattern", 
+                e.getMessage().contains( "forbidden pattern" ) );
+        }
+    }
+
+    @Test
+    public void testSSTIProtectionSystemClass()
+        throws Exception
+    {
+        FreemarkerTemplateEngine engine = new FreemarkerTemplateEngine();
+        IContext context = engine.createContext();
+        Writer writer = new StringWriter();
+        
+        // Test System class detection
+        String maliciousTemplate = "${java.lang.System.getProperty('user.name')}";
+        
+        try
+        {
+            engine.processNoCache( "test", context, new StringReader( maliciousTemplate ), writer );
+            Assert.fail( "Expected XDocReportException for System class" );
+        }
+        catch ( XDocReportException e )
+        {
+            Assert.assertTrue( "Exception should mention security violation", 
+                e.getMessage().contains( "Security violation" ) );
+            Assert.assertTrue( "Exception should mention forbidden pattern", 
+                e.getMessage().contains( "forbidden pattern" ) );
+        }
+    }
+
+    @Test
+    public void testSSTIProtectionReflectionClasses()
+        throws Exception
+    {
+        FreemarkerTemplateEngine engine = new FreemarkerTemplateEngine();
+        IContext context = engine.createContext();
+        Writer writer = new StringWriter();
+        
+        // Test reflection classes detection
+        String maliciousTemplate = "${java.lang.reflect.Method.invoke()}";
+        
+        try
+        {
+            engine.processNoCache( "test", context, new StringReader( maliciousTemplate ), writer );
+            Assert.fail( "Expected XDocReportException for reflection classes" );
+        }
+        catch ( XDocReportException e )
+        {
+            Assert.assertTrue( "Exception should mention security violation", 
+                e.getMessage().contains( "Security violation" ) );
+            Assert.assertTrue( "Exception should mention forbidden pattern", 
+                e.getMessage().contains( "forbidden pattern" ) );
+        }
+    }
+
+    @Test
+    public void testSafeTemplateProcessing()
+        throws Exception
+    {
+        FreemarkerTemplateEngine engine = new FreemarkerTemplateEngine();
+        IContext context = engine.createContext();
+        Writer writer = new StringWriter();
+        
+        // Test that safe templates still work
+        String safeTemplate = "Hello ${name}!";
+        context.put( "name", "World" );
+        
+        try
+        {
+            engine.processNoCache( "test", context, new StringReader( safeTemplate ), writer );
+            Assert.assertEquals( "Hello World!", writer.toString() );
+        }
+        catch ( XDocReportException e )
+        {
+            Assert.fail( "Safe template should not throw security exception: " + e.getMessage() );
+        }
+    }
+}
+
