Java: Add TemplateEngine.createTemplate as a groovy injection sink

Author: atorralba

java/ql/lib/ext/groovy.lang.model.yml

@@ -29,3 +29,4 @@ extensions:
       - ["groovy.lang", "GroovyShell", False, "run", "(String,String,String[])", "", "Argument[0]", "groovy", "manual"]
       - ["groovy.lang", "GroovyShell", False, "run", "(URI,List)", "", "Argument[0]", "groovy", "manual"]
       - ["groovy.lang", "GroovyShell", False, "run", "(URI,String[])", "", "Argument[0]", "groovy", "manual"]
+      - ["groovy.text", "TemplateEngine", True, "createTemplate", "", "", "Argument[0]", "groovy", "manual"]

java/ql/src/change-notes/2023-05-19-groovy-injection-sink.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `java/groovy-injection` now recognizes `groovy.text.TemplateEngine.createTemplate` as a sink.

java/ql/test/query-tests/security/CWE-094/TemplateEngineTest.java

@@ -0,0 +1,30 @@
+import java.io.File;
+import java.io.IOException;
+import java.io.Reader;
+import java.net.URL;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import groovy.text.TemplateEngine;
+
+public class TemplateEngineTest extends HttpServlet {
+
+    private Object source(HttpServletRequest request) {
+        return request.getParameter("script");
+    }
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+            Object script = source(request);
+            TemplateEngine engine = null;
+            engine.createTemplate(request.getParameter("script")); // $ hasGroovyInjection
+            engine.createTemplate((File) script); // $ hasGroovyInjection
+            engine.createTemplate((Reader) script); // $ hasGroovyInjection
+            engine.createTemplate((URL) script); // $ hasGroovyInjection
+        } catch (Exception e) {
+        }
+
+    }
+}