View Manipulation

kotlin.view_manipulation

Severity

critical

Resource

Injection

Language

Kotlin

Description

Improper neutralization of external input used to select a web view.

Rationale

Unrestricted manipulation of view names in the Spring framework (Spring MVC), when utilizing

Thymeleaf as the templating engine, can potentially lead to remote code execution. Thymeleaf supports the use of file layouts and fragments, allowing a Spring MVC controller to generate a dynamic view fragment name. During runtime, the template name is parsed by the Spring ThymeleafView class as an expression, leaving it susceptible to expression language injection attacks.

Consequently, if untrusted data is incorporated into a view name returned from the controller, it can result in an Expression Language Injection, potentially leading to Remote Code Execution.

import org.springframework.stereotype.Controller
import org.springframework.web.bind.annotation.RequestMapping
import org.springframework.web.bind.annotation.RequestParam

@Controller
class DummyController {

    @RequestMapping("/")
    fun index(@RequestParam section: String): String {
        return "sections/$section/index" // FLAW - template path is tainted
    }
}

Remediation

Do not allow view names to depend on external inputs.

If this behaviour is really needed then use a whitelist approach for proper validation of the view name (or its fragment part).

References

CWE-917 : Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection').
https://www.veracode.com/blog/secure-development/spring-view-manipulation-vulnerability