View Manipulation

ID

java.view_manipulation

Severity

critical

Resource

Injection

Language

Java

Tags

CWE:917, NIST.SP.800-53, OWASP:2021:A3, PCI-DSS:6.5.1

Description

Improper neutralization of external input used to select a web view.

Rationale

Unrestricted manipulation of view names in the Spring framework (Spring MVC), when utilizing

Thymeleaf as the templating engine, can potentially lead to remote code execution. Thymeleaf supports the use of file layouts and fragments, allowing a Spring MVC controller to generate a dynamic view fragment name. During runtime, the template name is parsed by the Spring ThymeleafView class as an expression, leaving it susceptible to expression language injection attacks.

Consequently, if untrusted data is incorporated into a view name returned from the controller, it can result in an Expression Language Injection, potentially leading to Remote Code Execution.

@Controller
public class DummyController {

  @RequestMapping("/")
  public String index(@RequestParam String section) {
    return "sections/" + section + "/index"; // FLAW - template path is tainted
  }
}

Remediation

Do not allow view names to depend on external inputs.

If this behaviour is really needed then use a whitelist approach for proper validation of the view name (or its fragment part).

References