ChangdongLi commented on pull request #68: URL: https://github.com/apache/freemarker/pull/68#issuecomment-647052944
Thanks. In our application, the values are strings.I will try to harden the code as you suggested. BTW our penetration tester followed https://ackcent.com/blog/in-depth-freemarker-template-injection/ Maybe some features could be disabled by default in the future FreeMarker On 21 Jun. 2020, 01:53, at 01:53, ddekany <[email protected]> wrote: >Depends on what kind of values you have in that `HashMap`. If they are >maps/lists/strings/number/boolean/dates, then it should be safe as far >as the model is concerned. (Normally, if you don't intend to expose >POJO-s, you should set `config.objectWrapper` to a >`SimpleObjectWrapper`.) Also note that `.locale_object` is a POJO >that's always exposed, though I'm not aware of attack vectors there, >assuming FreeMarker is up to date (or has a properly restricting >`ObjectWrapper`). Other than that, `TemplateLoader`-s can be a problem, >as they are accessible through `#include`/`#import`, and DoS attacks >(see these in the linked FAQ entry). > >As of your version, `Execute` can't be obtained since `?new` is >disabled. But, I guess you still prefer disabling these models, and >then disable `ObjectConstructor` should be disabled as well. > >-- >You are receiving this because you authored the thread. >Reply to this email directly or view it on GitHub: >https://github.com/apache/freemarker/pull/68#issuecomment-647012684 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
