Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.
Directly incorporating user input into HTTP requests dispatched from the Java EE RequestDispatcher without proper validation of the input can allow any web application resource such as configuration files and source code to be disclosed.
As stated in the Java API doc, when using a Java EE RequestDispatcher, requests may be dispatched to any part of the web application bypassing both implicit (no direct access to WEB-INF or META-INF) and explicit (defined by the web application) security constraints. Unsanitized user provided data must not be used to construct the path passed to the RequestDispatcher as it is very likely to create a security vulnerability in the application.
This query detects unsafe invocations of RequestDispatcher with user controlled input. Important features include:
RequestDispatcher constructed from both HTTP request and servlet context
Path traversal check
Path encoding check
Check of path normalization using the java.nio.file.Path package
[x] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing
Result(s)
Provide at least one useful result found by your query, on some revision of a real project.
Is there something in this issue for us to do, in regards to the API Security Checklist? Or can this issue be closed? Not sure I entirely understand the intentions here. Thanks.
Query
Link to pull request with your CodeQL query:
Relevant PR: https://github.com/github/codeql/pull/7286
CVE ID(s)
List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.
Report
Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.
Directly incorporating user input into HTTP requests dispatched from the Java EE RequestDispatcher without proper validation of the input can allow any web application resource such as configuration files and source code to be disclosed.
As stated in the Java API doc, when using a Java EE RequestDispatcher, requests may be dispatched to any part of the web application bypassing both implicit (no direct access to WEB-INF or META-INF) and explicit (defined by the web application) security constraints. Unsanitized user provided data must not be used to construct the path passed to the RequestDispatcher as it is very likely to create a security vulnerability in the application.
This query detects unsafe invocations of RequestDispatcher with user controlled input. Important features include:
RequestDispatcher constructed from both HTTP request and servlet context
Path traversal check
Path encoding check
Check of path normalization using the
java.nio.file.Path
package[x] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing
Result(s)
Provide at least one useful result found by your query, on some revision of a real project.
Originally posted by @luchua-bc in https://github.com/github/securitylab/issues/495