diff --git a/pom.xml b/pom.xml
index 59ded444..0ac5a163 100644
--- a/pom.xml
+++ b/pom.xml
@@ -31,6 +31,11 @@
commons-io
2.11.0
+
+ org.apache.commons
+ commons-text
+ 1.9
+
commons-codec
commons-codec
diff --git a/src/main/java/demo/security/servlet/TemplateServlet.java b/src/main/java/demo/security/servlet/TemplateServlet.java
new file mode 100644
index 00000000..6f5b07a0
--- /dev/null
+++ b/src/main/java/demo/security/servlet/TemplateServlet.java
@@ -0,0 +1,27 @@
+package demo.security.servlet;
+
+import org.apache.commons.text.StringSubstitutor;
+
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.PrintWriter;
+
+@WebServlet("/template")
+public class TemplateServlet extends HttpServlet {
+
+ protected void doGet(HttpServletRequest request, HttpServletResponse response)
+ throws ServletException, IOException {
+ String template = request.getParameter("template");
+ // CVE-2022-42889: StringSubstitutor with user-controlled input allows
+ // arbitrary code execution via script/dns/url lookups
+ String result = StringSubstitutor.replaceSystemProperties(template);
+ response.setContentType("text/html");
+ PrintWriter out = response.getWriter();
+ out.print("" + result + "
");
+ out.close();
+ }
+}