Merge pull request j3ers3#28 from x1ongsec/fix-freemarker

j3ers3 · web-flow · commit 5939ad3745d2 · 2025-03-06T10:34:01.000+08:00
fix bug
diff --git a/src/main/java/com/best/hello/controller/SSTI.java b/src/main/java/com/best/hello/controller/SSTI.java
@@ -149,6 +149,11 @@ public String freemarkerVul(@RequestParam String file, @RequestParam String cont
             log.error("关闭流失败", e);
         }
 
+        if (request.getRequestURI().contains("/freemarker/vul")) {
+            // 如果访问的 URI 路径包含 /freemarker/vul 则使用不安全的解析器
+            conf.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER);
+        }
+
         // 添加模板到 StringTemplateLoader，并禁用缓存和异常日志
         stringTemplateLoader.putTemplate(file, content);
         conf.setTemplateUpdateDelayMilliseconds(0);
