fix: SSTI freemarker

AT190510-Cuong · AT190510-Cuong · commit b4d312f16597 · 2025-10-23T17:08:32.000+07:00
diff --git a/template/fr.opensagres.xdocreport.template.freemarker/src/main/java/fr/opensagres/xdocreport/template/freemarker/FreemarkerTemplateEngine.java b/template/fr.opensagres.xdocreport.template.freemarker/src/main/java/fr/opensagres/xdocreport/template/freemarker/FreemarkerTemplateEngine.java
@@ -197,6 +197,16 @@ public void setFreemarkerConfiguration( Configuration freemarkerConfiguration )
         {
         }
         this.freemarkerConfiguration.setLocalizedLookup( false );
+        
+        // Security fix: Block dangerous class instantiation via ?new operator to prevent SSTI attacks
+        try
+        {
+            this.freemarkerConfiguration.setSetting( Configuration.NEW_BUILTIN_CLASS_RESOLVER_KEY, "safer" );
+        }
+        catch ( TemplateException e )
+        {
+            // Ignore configuration errors to maintain compatibility
+        }
     }
 
     public void extractFields( Reader reader, String entryName, FieldsExtractor extractor )

Original file line number	Diff line number	Diff line change
`@@ -197,6 +197,16 @@ public void setFreemarkerConfiguration( Configuration freemarkerConfiguration )`
`197`	`197`	`{`
`198`	`198`	`}`
`199`	`199`	`this.freemarkerConfiguration.setLocalizedLookup( false );`
	`200`	`+`
	`201`	`+ // Security fix: Block dangerous class instantiation via ?new operator to prevent SSTI attacks`
	`202`	`+ try`
	`203`	`+ {`
	`204`	`+ this.freemarkerConfiguration.setSetting( Configuration.NEW_BUILTIN_CLASS_RESOLVER_KEY, "safer" );`
	`205`	`+ }`
	`206`	`+ catch ( TemplateException e )`
	`207`	`+ {`
	`208`	`+ // Ignore configuration errors to maintain compatibility`
	`209`	`+ }`
`200`	`210`	`}`
`201`	`211`
`202`	`212`	`public void extractFields( Reader reader, String entryName, FieldsExtractor extractor )`