Fix Server-side template injection

fugerit79 · fugerit79 · commit 73b6ff52da01 · 2023-10-15T21:55:21.000+02:00
Note that this is only a demo app. https://github.com/fugerit-org/fj-doc/security/code-scanning/9
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - favicon and logo for playground quarkus
 
+### Fixed
+
+- [Server-side template injection](https://github.com/fugerit-org/fj-doc/security/code-scanning/9)
+
 ## [3.1.5] - 2023-10-15
 
 ### Added
diff --git a/fj-doc-playground-quarkus/src/main/java/org/fugerit/java/doc/playground/doc/GenerateRest.java b/fj-doc-playground-quarkus/src/main/java/org/fugerit/java/doc/playground/doc/GenerateRest.java
@@ -31,6 +31,9 @@
 import org.fugerit.java.doc.playground.facade.BasicInput;
 import org.fugerit.java.doc.playground.facade.InputFacade;
 
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
 import freemarker.cache.StringTemplateLoader;
 import freemarker.template.Configuration;
 import freemarker.template.Template;
@@ -57,21 +60,29 @@ private void doHandle( DocTypeHandler handler, String type, int sourceType, Read
 		} );
 	}
 	
+	private void handleConfiguration( Configuration configuration, String freemarkerJsonData, String ftlData, String chainId ) {
+		StringTemplateLoader loader = new StringTemplateLoader();
+		String chainData = "<#assign ftlData = "+freemarkerJsonData+">"+ftlData;
+		loader.putTemplate( chainId , chainData );
+		configuration.setTemplateLoader( loader );
+	}
+	
 	private void handleFtlx( DocTypeHandler handler, String type, int sourceType, Reader reader, ByteArrayOutputStream baos, String freemarkerJsonData ) {
 		SafeFunction.apply( () -> {
 			// volatile FreeMarker Template configuration
-			String templateName = "current"+System.currentTimeMillis();
+			String chainId = "current_"+System.currentTimeMillis();
 			Configuration configuration = new Configuration( new Version( FreeMarkerConfigStep.ATT_FREEMARKER_CONFIG_KEY_VERSION_LATEST ) );
-			StringTemplateLoader loader = new StringTemplateLoader();
-			String templateData = "<#assign ftlData = "+freemarkerJsonData+">"+StreamIO.readString( reader );
-			loader.putTemplate( templateName , templateData );
-			configuration.setTemplateLoader( loader );
-			Template template = configuration.getTemplate( templateName );
-			Map<Object, Object> data = new HashMap<>();
-			try ( StringWriter writer = new StringWriter() ) {
-				template.process( data , writer );
-				try ( StringReader ftlReader = new StringReader( writer.toString() ) ) {
-					this.doHandle(handler, type, sourceType, ftlReader, baos);
+			ObjectMapper mapper = new ObjectMapper();
+			try ( StringReader jsonReader = new StringReader(freemarkerJsonData) ) {
+				JsonNode node = mapper.readTree( jsonReader ); // parse json node to sanitize input
+				this.handleConfiguration(configuration, mapper.writeValueAsString( node ), StreamIO.readString( reader ), chainId );
+				Template currentChain = configuration.getTemplate( chainId );
+				Map<Object, Object> data = new HashMap<>();
+				try ( StringWriter writer = new StringWriter() ) {
+					currentChain.process( data , writer );
+					try ( StringReader ftlReader = new StringReader( writer.toString() ) ) {
+						this.doHandle(handler, type, sourceType, ftlReader, baos);
+					}
 				}
 			}
 			configuration.clearTemplateCache();
