参考:
- java安全开发之spring boot Thymeleaf模板注入
- https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/
- https://github.com/veracode-research/spring-view-manipulation
场景是view的名字是用户可控时,
实际测试发现跟Spring boot的版本有关,其默认自带的Thymeleaf版本有关。
spring boot:1.5.1.RELEASE spring-boot-starter-thymeleaf:2.1.5
spring boot:2.0.0.RELEASE spring-boot-starter-thymeleaf:3.0.9
spring boot:2.2.0.RELEASE spring-boot-starter-thymeleaf:3.0.11
3.x版本的thymeleaf才受影响。
renderFragment
3.x版本的thymeleaf-spring5是这样的:
if (!viewTemplateName.contains("::")) {
templateName = viewTemplateName;
markupSelectors = null;
} else {
IStandardExpressionParser parser = StandardExpressions.getExpressionParser(configuration);
FragmentExpression fragmentExpression;
try {
fragmentExpression = (FragmentExpression)parser.parseExpression(context, "~{" + viewTemplateName + "}");
} catch (TemplateProcessingException var25) {
throw new IllegalArgumentException("Invalid template name specification: '" + viewTemplateName + "'");
}
而2.x的thymeleaf-spring4是这样的
Configuration configuration = viewTemplateEngine.getConfiguration();
ProcessingContext processingContext = new ProcessingContext(context);
templateCharacterEncoding = getStandardDialectPrefix(configuration);
StandardFragment fragment = StandardFragmentProcessor.computeStandardFragmentSpec(configuration, processingContext, viewTemplateName, templateCharacterEncoding, "fragment");
if (fragment == null) {
throw new IllegalArgumentException("Invalid template name specification: '" + viewTemplateName + "'");
}