Skip to content

Fix SSTI vulnerability in FreemarkerTemplateEngine and add security #706

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
AT190510-Cuong wants to merge 0 commits into from
Closed

Fix SSTI vulnerability in FreemarkerTemplateEngine and add security #706

AT190510-Cuong wants to merge 0 commits into from

Conversation

@AT190510-Cuong
Copy link
Contributor

@AT190510-Cuong AT190510-Cuong commented Oct 23, 2025

fix: add security validation to FreemarkerTemplateEngine to prevent SSTI

This patch introduces a validation step before processing Freemarker templates
to detect and block potentially dangerous expressions that could lead to
Server-Side Template Injection (SSTI).

Specifically, the new validateTemplateSecurity() method scans the template
content for forbidden patterns such as:

  • freemarker.template.utility.Execute
  • java.lang.Runtime
  • java.lang.System
  • java.lang.reflect
  • ?new, ?eval, ?api

If any of these are detected, an XDocReportException is thrown to stop template
execution.

This fix does not change normal template rendering behavior and remains fully
backward compatible for safe templates.

@angelozerr
Copy link
Member

angelozerr commented Oct 23, 2025

Why are you doing a new PR instead of updating the first?

@angelozerr
Copy link
Member

angelozerr commented Oct 23, 2025

CI build not working (compilation problem).

angelozerr
angelozerr reviewed Oct 23, 2025
View reviewed changes
integrationtests/.project Outdated
<natures>
<nature>org.eclipse.m2e.core.maven2Nature</nature>
</natures>
<filteredResources>
Copy link
Member

@angelozerr angelozerr Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why you need this change? Please remove it.

angelozerr
angelozerr reviewed Oct 23, 2025
View reviewed changes
...a/fr/opensagres/xdocreport/template/freemarker/FreemarkerTemplateEngineSecurityTestCase.java Outdated
@@ -0,0 +1,217 @@
/**
* Copyright (C) 2011-2015 The XDocReport Team <[email protected]>
Copy link
Member

@angelozerr angelozerr Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update date with 2025

@angelozerr
Copy link
Member

angelozerr commented Oct 23, 2025

Your PR read the template and convert to a String and uses matches to check is it exists some pattern, which is very bad for performance.

The Reader must read just one time to parse the template and not to check some used pattern. More those pattern are declared by the user so I don't see any value to check that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@angelozerr angelozerr angelozerr left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AT190510-Cuong @angelozerr