That templates are part of the source code like Java is quite common. Like in Thymeleaf + Spring, by default you can access any classes with T(com.example.SomeClass), and then do whatever you want. FreeMarker is more restrictive there, but I assume the reason wasn't security, but simply to discourage logic in templates that should belong to the MVC Controller, and heavy Java API usage in templates generally. See also: https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security
On Mon, Mar 7, 2022 at 9:02 PM Taher Alkhateeb <ta...@pythys.com.invalid> wrote: > Hello folks, > > I'm not sure if this is the proper mailing list to discuss such > information. Anyway I looked at the reported security vulnerability and > it seems to be not critical unless the solution deployed has the ability > to modify FTL files on the server. So it may not be critical depending > on the type of solution being deployed as you must be able to inject an > FTL template and evaluate it to get access to a class loader and then > use it to inject malicious code. > > Regards, > > On 3/7/22 17:43, Demarcq, Arnaud wrote: > > Dear dev@freemarker.apache.org<mailto:dev@freemarker.apache.org>, > > > > We are using freemarker as our main templating engine for the various > software me and my team are maintaining. > > > > In order to be certain our software is secure and compliant with the > latest security standards, our code is dynamically tested with Veracode. > We're currently having the latest version of freemarker flagged as > dangerous because of this CVE: > > > > CVE-2021-46361< > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361> > > undefined: org.freemarker:freemarker is vulnerable to arbitrary code > execution. Remote attackers are able to inject and execute malicious > scripts on the host machine via crafted payloads to bypass security > restrictions. > > > > > > The option we have are: > > > > * Waiting for a new release of freemarker that fixes this CVE > > * Switching to an other templating engine (which I would like to > avoid if we can, as this would mean a breach in ascending compatibility due > to syntax in the templates). > > > > Can you please kindly share if this issue is being actively worked on ? > If it is, do you have a tentative date for the next release ? > > > > Many thanks and kind regards, > > > > Arnaud DEMARCQ > > > > > -- Best regards, Daniel Dekany
