diff --git a/pom.xml b/pom.xml index 59ded444..0ac5a163 100644 --- a/pom.xml +++ b/pom.xml @@ -31,6 +31,11 @@ commons-io 2.11.0 + + org.apache.commons + commons-text + 1.9 + commons-codec commons-codec diff --git a/src/main/java/demo/security/servlet/TemplateServlet.java b/src/main/java/demo/security/servlet/TemplateServlet.java new file mode 100644 index 00000000..6f5b07a0 --- /dev/null +++ b/src/main/java/demo/security/servlet/TemplateServlet.java @@ -0,0 +1,27 @@ +package demo.security.servlet; + +import org.apache.commons.text.StringSubstitutor; + +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.io.PrintWriter; + +@WebServlet("/template") +public class TemplateServlet extends HttpServlet { + + protected void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + String template = request.getParameter("template"); + // CVE-2022-42889: StringSubstitutor with user-controlled input allows + // arbitrary code execution via script/dns/url lookups + String result = StringSubstitutor.replaceSystemProperties(template); + response.setContentType("text/html"); + PrintWriter out = response.getWriter(); + out.print("

" + result + "

"); + out.close(); + } +}