Skip to content

Java: CWE-552 Query to detect configuration file/source code exposure from unsafe request dispatcher #6251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Java: CWE-552 Query to detect configuration file/source code exposure from unsafe request dispatcher #6251

wants to merge 2 commits into from

Conversation

luchua-bc
Copy link
Contributor

Directly incorporating user input into HTTP requests dispatched from the Java EE RequestDispatcher without validating the input can allow any web application resource such as configuration files and source code to be disclosed.

As stated in the Java API doc, when using a Java EE RequestDispatcher, requests may be dispatched to any part of the web application bypassing both implicit (no direct access to WEB-INF or META-INF) and explicit (defined by the web application) security constraints. Unsanitized user provided data must not be used to construct the path passed to the RequestDispatcher as it is very likely to create a security vulnerability in the application.

This query detects unsafe invocations of RequestDispatcher with user controlled input. Please consider to merge the PR. Thanks.

@luchua-bc luchua-bc requested a review from a team as a code owner July 11, 2021 20:35
@luchua-bc luchua-bc mentioned this pull request Jul 11, 2021
Closed
1 task
@haby0
Copy link
Contributor

haby0 commented Jul 12, 2021
edited
Loading

@luchua-bc Hello, this pr is the same as the one I submitted. #6240

In addition, your title is wrong, it should be CWE-552.

@luchua-bc luchua-bc changed the title Java: CWE-522 Query to detect configuration file/source code exposure from unsafe request dispatcher Java: CWE-552 Query to detect configuration file/source code exposure from unsafe request dispatcher Jul 12, 2021
@luchua-bc
Copy link
Contributor Author

luchua-bc commented Jul 12, 2021
edited
Loading

@luchua-bc Hello, this pr is the same as the one I submitted. #6240

In addition, your title is wrong, it should be CWE-552.

Oops! I searched security lab issues that are in the open status and the keyword CWE-552 in the codeql repository but didn't find anything including yours before I started to work on my submission. I should have searched pull requests that are in the open status.

I just took a look and our queries do have a common piece - yours already covers the getRequestDispatcher method in the method ServletRequestGetRequestDispatcherMethod with ServletRequest. However, my query also covers RequestDispatcher initialized from ServletContext as well as the new/latest API in the package jakarta.servlet.

I will merge my query with yours after yours is merged into the main branch.

@luchua-bc

@luchua-bc
Copy link
Contributor Author

@haby0 I've added a distinct new category of checking getResource to my query, which also touches the path traversal vulnerability in this scenario. That is, it not only allows to check the malicious pattern of /WEB-INF/web.xml but also allows to check the pattern with path traversal such as /pages/public_page.jsp/../../WEB-INF/web.xml.

@luchua-bc luchua-bc closed this Jan 23, 2022
@luchua-bc luchua-bc deleted the java/unsafe-request-dispatch branch January 23, 2022 18:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@luchua-bc @haby0