Template Injection
Description
The application may allow control over a template string, which can lead to code injection vulnerabilities. Providing user input directly in the template by dynamically creating template strings may allow an adversary to execute arbitrary Java code, including OS system commands.
Examples
Insecure Code
java
Velocity.evaluate(context, stringWriter, "demo", "Hello " + userInput);Secure Code
java
Velocity.evaluate(context, stringWriter, "demo", "Hello $esc.html($userInput)");Remediation
Use a `VelocityContext` object instead of directly passing user-supplied input in the template string. Configure the context to data-bind user-supplied information, and use escape tools to pass in user-supplied data to a template.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0728 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-94 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | template injection, code injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |