Java: Introduce Freemarker for SSTI queries

[japroc]

Hi team!

I want to add support for Freemarker template engine.
There is a Freemarker.qll library and 2 queries.

Query 1 - FreemarkerTaintedTemplate.ql
Search for cases when untrusted data is used as template. It may lead to remote code execution and information disclosure vulnerabilities.

Query 2 - FreemarkerUnsafeConfiguration.ql
Search for unsafe freemarker configurations. It is not critical by default. Although, when developers use builtin interpret filter on user-data, they will be executed as part of template. As i know it's impossible to analyze ftl files. As mitigation it's recommended to configure secure engine by 1) not enabling Builtin API, 2) setting class resolver to ALLOWS_NOTHING_RESOLVER.

Thanks,
Evgenii.

[intrigus-lgtm]

FYI: There is a similar PR #5935

[smowton]

In the event they differ enough: @japroc are you applying to the bounty program for this?

[japroc]

Hi @intrigus-lgtm and @smowton,

Unfortunately, i have not seen that PR (#5935) earlier. It looks similar. I think mine FreemarkerTaintedTemplate.ql covers same vulnerabilities.
Although this PR also contains FreemarkerUnsafeConfiguration.ql query. It's description is in first comment of this PR.

In the event they differ enough: @japroc are you applying to the bounty program for this?

Yes, i wanted to apply for bounty after some discussion