Template Injection
Description
A malicious user in control of a template can run malicious code on the server-side. Velocity, FreeMarker, and Pebble templates should be seen as scripts.
Examples
Insecure Code
scala
Velocity.evaluate("user_input")Secure Code
scala
Velocity.evaluate("validated_input")Remediation
Validate and sanitize all user-controlled input used in template evaluation to prevent code injection.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0074 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-94 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | template injection, code injection |
| OWASP | N/A |