Add check for J2EE server directory listing

java/ql/test/experimental/query-tests/security/CWE-548/InsecureDirectoryConfig.expected

@@ -0,0 +1 @@
+| insecure-web.xml:16:9:19:22 | init-param | Directory listing should be disabled to mitigate filename and path disclosure |

java/ql/test/experimental/query-tests/security/CWE-548/InsecureDirectoryConfig.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql

java/ql/test/experimental/query-tests/security/CWE-548/insecure-web.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
+                      http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0">
+
+    <!-- The default servlet for all web applications, that serves static     -->
+    <!-- resources.  It processes all requests that are not mapped to other   -->
+    <!-- servlets with servlet mappings (defined either here or in your own   -->
+    <!-- web.xml file).                                                       -->
+    <servlet>
+        <servlet-name>default</servlet-name>
+        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
+        <init-param>
+            <param-name>debug</param-name>
+            <param-value>0</param-value>
+        </init-param>
+        <init-param>
+            <param-name>listings</param-name>
+            <param-value>true</param-value>
+        </init-param>
+        <load-on-startup>1</load-on-startup>
+    </servlet>
+
+    <!-- The mapping for the default servlet -->
+    <servlet-mapping>
+        <servlet-name>default</servlet-name>
+        <url-pattern>/</url-pattern>
+    </servlet-mapping>
+
+</web-app>