Skip to content

Add SSTI, stored XSS, and SSRF vulnerability modules with Kotlin support#2

Open
misonijnik wants to merge 1 commit intodemo/basefrom
demo/spring
Open

Add SSTI, stored XSS, and SSRF vulnerability modules with Kotlin support#2
misonijnik wants to merge 1 commit intodemo/basefrom
demo/spring

Conversation

@misonijnik
Copy link
Member

@misonijnik misonijnik commented Mar 25, 2026
edited
Loading

Introduce template injection patterns (FreeMarker/Thymeleaf), cross-endpoint stored XSS flows with column-level sensitivity, SSRF via coroutine-based URL fetch, and JPA persistence layer with H2.

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 25, 2026
View reviewed changes
@misonijnik
Add SSTI, stored XSS, and SSRF vulnerability modules with Kotlin support
52e84af 
Introduce template injection patterns (FreeMarker/Thymeleaf), cross-endpoint
stored XSS flows with column-level sensitivity, SSRF via coroutine-based URL
fetch, and JPA persistence layer with H2. Update README to document all
vulnerability patterns and the expanded tech stack.
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 25, 2026
View reviewed changes
src/main/java/org/seqra/spring/content/MarketingTemplateService.java
}

public String render(String name, String content) throws IOException, TemplateException {
Template template = new Template(name, new StringReader(content), templateConfig);

Check failure

Code scanning / OpenTaint

Unvalidated user data flows into template engine Error

Potential template injection: unvalidated user data flows into template engine
src/main/java/org/seqra/spring/content/NotificationTemplateService.java
}

public String render(String name, String content) throws IOException, TemplateException {
Template template = new Template(name, new StringReader(content), templateConfig);

Check failure

Code scanning / OpenTaint

Unvalidated user data flows into template engine Error

Potential template injection: unvalidated user data flows into template engine
src/main/java/org/seqra/spring/content/TemplateRenderingService.java
Context context = new Context();
context.setVariable("appName", "Demo Application");

return templateEngine.process(templateContent, context);

Check failure

Code scanning / OpenTaint

Unvalidated user data flows into template engine Error

Potential template injection: unvalidated user data flows into template engine
src/main/java/org/seqra/spring/messaging/MessageController.java
Comment on lines +57 to +59
return ResponseEntity.ok()
.contentType(MediaType.TEXT_HTML)
.body(content);

Check failure

Code scanning / OpenTaint

Potential cross-site scripting (XSS) Error

Potential XSS: writing user input directly to a web page.
src/main/java/org/seqra/spring/messaging/MessageController.java
Comment on lines +96 to +98
return ResponseEntity.ok()
.contentType(MediaType.TEXT_HTML)
.body(title);

Check failure

Code scanning / OpenTaint

Potential cross-site scripting (XSS) Error

Potential XSS: writing user input directly to a web page.
src/main/java/org/seqra/spring/messaging/MessageController.java
Comment on lines +131 to +133
return ResponseEntity.ok()
.contentType(MediaType.TEXT_HTML)
.body(content);

Check failure

Code scanning / OpenTaint

Potential cross-site scripting (XSS) Error

Potential XSS: writing user input directly to a web page.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@misonijnik