Skip to content

[Java] CWE-552: Query to detect configuration file/source code exposure from unsafe request dispatcher #398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task done
luchua-bc opened this issue Jul 11, 2021 · 6 comments
Closed
1 task done

[Java] CWE-552: Query to detect configuration file/source code exposure from unsafe request dispatcher #398

luchua-bc opened this issue Jul 11, 2021 · 6 comments
Labels
All For One Submissions to the All for One, One for All bounty

Comments

@luchua-bc
Copy link

Query

Link to pull request with your CodeQL query:

Relevant PR: github/codeql#6251

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

Report

Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.

Directly incorporating user input into HTTP requests dispatched from the Java EE RequestDispatcher without validating the input can allow any web application resource such as configuration files and source code to be disclosed.

As stated in the Java API doc, when using a Java EE RequestDispatcher, requests may be dispatched to any part of the web application bypassing both implicit (no direct access to WEB-INF or META-INF) and explicit (defined by the web application) security constraints. Unsanitized user provided data must not be used to construct the path passed to the RequestDispatcher as it is very likely to create a security vulnerability in the application.

This query detects unsafe invocations of RequestDispatcher with user controlled input.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Result(s)

Provide at least one useful result found by your query, on some revision of a real project.
@luchua-bc luchua-bc added the All For One Submissions to the All for One, One for All bounty label Jul 11, 2021
@luchua-bc luchua-bc changed the title [Java] CWE-522: Query to detect configuration file/source code exposure from unsafe request dispatcher [Java] CWE-552: Query to detect configuration file/source code exposure from unsafe request dispatcher Jul 12, 2021
@pwntester
Copy link
Contributor

Hi @luchua-bc Thanks for the contribution and sorry for the radio silence as you commented on github/codeql#6251 (comment) I think its better to close this PR and then open a new one when @haby0 one gets merged. Is that ok with you? if so, please close this PR.

@luchua-bc
Copy link
Author

luchua-bc commented Sep 16, 2021
edited
Loading

@pwntester Thanks for the suggestion. The @haby0 one hasn't received any update for two months therefore it took much longer than I originally thought. I"m OK with closing this one for the time being.

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

@haby0
Copy link

haby0 commented Oct 28, 2021

@pwntester I think he can open this pr, right? @luchua-bc

@pwntester
Copy link
Contributor

@luchua-bc better create a new PR for it

@luchua-bc
Copy link
Author

As per the advice of @pwntester, I've submitted a new PR #7286 to replace this one with a new issue #495

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
All For One Submissions to the All for One, One for All bounty
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pwntester @haby0 @luchua-bc @ghsecuritylab