new capacity bits (#67)

tests/fixtures/ssti/java/SafeFreemarkerConstant.java

@@ -0,0 +1,18 @@
+// Safe: Velocity.evaluate receives a constant template source string.
+// The user-controlled value is bound as a context *variable* (data),
+// which Velocity renders via its escape policy — not as template source.
+
+import org.apache.velocity.VelocityContext;
+import org.apache.velocity.app.Velocity;
+import java.io.StringWriter;
+import javax.servlet.http.HttpServletRequest;
+
+public class SafeFreemarkerConstant {
+    public String render(HttpServletRequest req) throws Exception {
+        VelocityContext ctx = new VelocityContext();
+        ctx.put("name", req.getParameter("name"));
+        StringWriter out = new StringWriter();
+        Velocity.evaluate(ctx, out, "greeting", "Hello, $name");
+        return out.toString();
+    }
+}

tests/fixtures/ssti/java/UnsafeFreemarkerProcess.java

@@ -0,0 +1,27 @@
+// Unsafe: Apache FreeMarker constructor takes a tainted template *source*
+// string (the second arg to `new Template(name, reader, cfg)` is read
+// once into the compiled body), then `tpl.process(model, out)` renders
+// it.  Without `TypeKind::Template`, idiomatic `Template tpl = new
+// Template(...); tpl.process(...)` shapes do not type-qualify
+// `tpl.process` to `Template.process`, so the existing flat SSTI rule
+// never fires.
+import freemarker.template.Configuration;
+import freemarker.template.Template;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.util.HashMap;
+import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
+
+public class UnsafeFreemarkerProcess {
+    public String render(HttpServletRequest req) throws Exception {
+        String src = req.getParameter("template");
+        Configuration cfg = new Configuration(Configuration.VERSION_2_3_31);
+        Template tpl = new Template("user", new StringReader(src), cfg);
+        Map<String, Object> model = new HashMap<>();
+        model.put("user", req.getParameter("name"));
+        StringWriter out = new StringWriter();
+        tpl.process(model, out);
+        return out.toString();
+    }
+}

tests/fixtures/ssti/java/UnsafeFreemarkerTemplate.java

@@ -0,0 +1,20 @@
+// Unsafe: Apache Velocity `Velocity.evaluate(ctx, out, "tag", src)` parses
+// `src` as an inline template and renders it in one call.  When `src` is
+// taken from a request parameter, this is direct SSTI.  Static-method
+// shape ensures the chain text is `Velocity.evaluate`, matching the
+// class-qualified Java SSTI rule without needing receiver type inference.
+
+import org.apache.velocity.VelocityContext;
+import org.apache.velocity.app.Velocity;
+import java.io.StringWriter;
+import javax.servlet.http.HttpServletRequest;
+
+public class UnsafeFreemarkerTemplate {
+    public String render(HttpServletRequest req) throws Exception {
+        String src = req.getParameter("template");
+        VelocityContext ctx = new VelocityContext();
+        StringWriter out = new StringWriter();
+        Velocity.evaluate(ctx, out, "user-template", src);
+        return out.toString();
+    }
+}