Need both with and without security...?

[dkegel-fastly]

I'm using this patch to turn off Smarty security:

--- a/php/example-app/routes/web.php
+++ b/php/example-app/routes/web.php
@@ -160,7 +160,7 @@ function getParam(Request $request, string $paramName) {
 
     try {
         $smarty = new Smarty();
-        $smarty->enableSecurity();
+        //$smarty->enableSecurity();
         return $smarty->fetch('eval:'.$template);
     } catch (Exception $e) {
         if ($hideError == "1") {

Might be good to expose Smarty both with and without security...?

Similarly, Thymeleaf's text mode has different security characteristics than its html mode, might want to expose both of them with something like

+  @RequestMapping("/ThymeleafText") // TEXT mode enables RESTRICTED sandbox; for CVE-2026-40478 tab bypass testing
+       String thymeleafText(@RequestParam(required = false) String name, @RequestParam(required = false) String hideError) {
+    if (name == null) {
+                       name = "";
+               }
+    if (hideError == null) {
+                       hideError = "";
+               }
+    String templateString = "ThymeleafText: " + name;
+
+    try {
+      SpringTemplateEngine templateEngine = new SpringTemplateEngine();
+      StringTemplateResolver resolver = new StringTemplateResolver();
+      resolver.setTemplateMode(TemplateMode.TEXT);
+      templateEngine.setTemplateResolver(resolver);
+      return templateEngine.process(templateString, new org.thymeleaf.context.Context());
+               } catch (Exception e) {
+      if (hideError == "1") {
+        return templateString;
+      } else {
+                         return e.toString();
+      }
+               }
+  }

(or possibly some other way to turn on the stricter security; this is just what Claude came up with)

[m10x]

Regarding 1: There is already Smarty Route::match(['get', 'post'] ,'/Smarty', function (Request $request) { and SmartySecurity Route::match(['get', 'post'] ,'/SmartySecurity', function (Request $request) {. Or am I misunderstanding something?

Also both routes are listed:

case 'php/Smarty':
            title="Smarty";
            description="Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. It allows you to write templates, using variables, modifiers, functions and comments";
            documentation=["Documentation","https://smarty-php.github.io/smarty/5.x/",
                "RubyGems.org", "https://packagist.org/packages/smarty/smarty"];
            modes=["Default", "/php/Smarty",
                "Security", "/php/SmartySecurity"];
            characteristics=`comment: {# comment #}<br>
            multiply: {math equation="7 * 7"}<br>
            string: { "string" } or { 'string' }`;
            break;

There was an issue with the smartysecurity route, that got fixed 2 days ago: d65dbc0

Are you using the latest version?

[m10x]

2. I did not know about that mode yet. Definitely makes sense to implement it.

Instead of String templateString = "ThymeleafText: " + name;
it should probably be String templateString = getTemplate(name, "ThymeleafText");
in order to align with the generic template. I'll have to see when I'm going to have time to test it locally.

[m10x]

You could save me some time, if you modify the /Thymeleaf route to include resolver.setTemplateMode(TemplateMode.TEXT); and test if the text mode behaves correctly :)
If it does, it will be simple for me to add it as additional mode

[dkegel-fastly]

I forgot about SmartySecurity! If I had more time I'd write a proper reproducer to verify there's unwanted security in plain Smarty.

I am currently on other attack types, but will try to follow up next time I get around to SSTI.