Skip to content

Java: CWE-552 Query to detect configuration file/source code exposure from unsafe request dispatcher#6251

Closed
luchua-bc wants to merge 2 commits intogithub:mainfrom
luchua-bc:java/unsafe-request-dispatch
Closed

Java: CWE-552 Query to detect configuration file/source code exposure from unsafe request dispatcher#6251
luchua-bc wants to merge 2 commits intogithub:mainfrom
luchua-bc:java/unsafe-request-dispatch

Conversation

@luchua-bc
Copy link
Copy Markdown
Contributor

@luchua-bc luchua-bc commented Jul 11, 2021

Directly incorporating user input into HTTP requests dispatched from the Java EE RequestDispatcher without validating the input can allow any web application resource such as configuration files and source code to be disclosed.

As stated in the Java API doc, when using a Java EE RequestDispatcher, requests may be dispatched to any part of the web application bypassing both implicit (no direct access to WEB-INF or META-INF) and explicit (defined by the web application) security constraints. Unsanitized user provided data must not be used to construct the path passed to the RequestDispatcher as it is very likely to create a security vulnerability in the application.

This query detects unsafe invocations of RequestDispatcher with user controlled input. Please consider to merge the PR. Thanks.

@luchua-bc luchua-bc requested a review from a team as a code owner July 11, 2021 20:35
@luchua-bc luchua-bc mentioned this pull request Jul 11, 2021
Closed
1 task
@haby0
Copy link
Copy Markdown
Contributor

haby0 commented Jul 12, 2021
edited
Loading

@luchua-bc Hello, this pr is the same as the one I submitted. #6240

In addition, your title is wrong, it should be CWE-552.

@luchua-bc luchua-bc changed the title Java: CWE-522 Query to detect configuration file/source code exposure from unsafe request dispatcher Java: CWE-552 Query to detect configuration file/source code exposure from unsafe request dispatcher Jul 12, 2021
@luchua-bc
Copy link
Copy Markdown
Contributor Author

luchua-bc commented Jul 12, 2021
edited
Loading

@luchua-bc Hello, this pr is the same as the one I submitted. #6240

In addition, your title is wrong, it should be CWE-552.

Oops! I searched security lab issues that are in the open status and the keyword CWE-552 in the codeql repository but didn't find anything including yours before I started to work on my submission. I should have searched pull requests that are in the open status.

I just took a look and our queries do have a common piece - yours already covers the getRequestDispatcher method in the method ServletRequestGetRequestDispatcherMethod with ServletRequest. However, my query also covers RequestDispatcher initialized from ServletContext as well as the new/latest API in the package jakarta.servlet.

I will merge my query with yours after yours is merged into the main branch.

@luchua-bc

@luchua-bc
Copy link
Copy Markdown
Contributor Author

luchua-bc commented Jul 18, 2021

@haby0 I've added a distinct new category of checking getResource to my query, which also touches the path traversal vulnerability in this scenario. That is, it not only allows to check the malicious pattern of /WEB-INF/web.xml but also allows to check the pattern with path traversal such as /pages/public_page.jsp/../../WEB-INF/web.xml.

@luchua-bc luchua-bc closed this Jan 23, 2022
@luchua-bc luchua-bc deleted the java/unsafe-request-dispatch branch January 23, 2022 18:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

documentation Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@luchua-bc @haby0 @aschackmull