mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-06 19:35:13 +02:00
20 lines
884 B
Java
20 lines
884 B
Java
// Unsafe: Apache Velocity `Velocity.evaluate(ctx, out, "tag", src)` parses
|
|
// `src` as an inline template and renders it in one call. When `src` is
|
|
// taken from a request parameter, this is direct SSTI. Static-method
|
|
// shape ensures the chain text is `Velocity.evaluate`, matching the
|
|
// class-qualified Java SSTI rule without needing receiver type inference.
|
|
|
|
import org.apache.velocity.VelocityContext;
|
|
import org.apache.velocity.app.Velocity;
|
|
import java.io.StringWriter;
|
|
import javax.servlet.http.HttpServletRequest;
|
|
|
|
public class UnsafeFreemarkerTemplate {
|
|
public String render(HttpServletRequest req) throws Exception {
|
|
String src = req.getParameter("template");
|
|
VelocityContext ctx = new VelocityContext();
|
|
StringWriter out = new StringWriter();
|
|
Velocity.evaluate(ctx, out, "user-template", src);
|
|
return out.toString();
|
|
}
|
|
}
|