mirror of
https://github.com/github/codeql.git
synced 2025-12-24 04:36:35 +01:00
Java: remove experimental tests
This commit is contained in:
Jami Cogswell
@@ -1,155 +0,0 @@
|
||||
package com.example;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.FileReader;
|
||||
import java.io.InputStreamReader;
|
||||
import java.io.IOException;
|
||||
import java.io.Reader;
|
||||
import java.io.UnsupportedEncodingException;
|
||||
import java.net.URLDecoder;
|
||||
import java.nio.file.Files;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.core.io.ClassPathResource;
|
||||
import org.springframework.core.io.Resource;
|
||||
import org.springframework.core.io.ResourceLoader;
|
||||
import org.springframework.util.ResourceUtils;
|
||||
import org.springframework.util.StringUtils;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
/** Sample class of Spring RestController */
|
||||
@RestController
|
||||
public class UnsafeLoadSpringResource {
|
||||
@GetMapping("/file1")
|
||||
//BAD: Get resource from ClassPathResource without input validation
|
||||
public String getFileContent1(@RequestParam(name="fileName") String fileName) {
|
||||
// A request such as the following can disclose source code and application configuration
|
||||
// fileName=/../../WEB-INF/views/page.jsp
|
||||
// fileName=/com/example/package/SampleController.class
|
||||
ClassPathResource clr = new ClassPathResource(fileName);
|
||||
char[] buffer = new char[4096];
|
||||
StringBuilder out = new StringBuilder();
|
||||
try {
|
||||
Reader in = new FileReader(clr.getFilename());
|
||||
for (int numRead; (numRead = in.read(buffer, 0, buffer.length)) > 0; ) {
|
||||
out.append(buffer, 0, numRead);
|
||||
}
|
||||
} catch (IOException ie) {
|
||||
ie.printStackTrace();
|
||||
}
|
||||
return out.toString();
|
||||
}
|
||||
|
||||
@GetMapping("/file1a")
|
||||
//GOOD: Get resource from ClassPathResource with input path validation
|
||||
public String getFileContent1a(@RequestParam(name="fileName") String fileName) {
|
||||
String result = null;
|
||||
if (fileName.startsWith("/safe_dir") && !fileName.contains("..")) {
|
||||
ClassPathResource clr = new ClassPathResource(fileName);
|
||||
char[] buffer = new char[4096];
|
||||
StringBuilder out = new StringBuilder();
|
||||
try {
|
||||
Reader in = new InputStreamReader(clr.getInputStream(), "UTF-8");
|
||||
for (int numRead; (numRead = in.read(buffer, 0, buffer.length)) > 0; ) {
|
||||
out.append(buffer, 0, numRead);
|
||||
}
|
||||
} catch (IOException ie) {
|
||||
ie.printStackTrace();
|
||||
}
|
||||
result = out.toString();
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
@GetMapping("/file2")
|
||||
//BAD: Get resource from ResourceUtils without input validation
|
||||
public String getFileContent2(@RequestParam(name="fileName") String fileName) {
|
||||
String content = null;
|
||||
|
||||
try {
|
||||
// A request such as the following can disclose source code and system configuration
|
||||
// fileName=/etc/hosts
|
||||
// fileName=file:/etc/hosts
|
||||
// fileName=/opt/appdir/WEB-INF/views/page.jsp
|
||||
File file = ResourceUtils.getFile(fileName);
|
||||
//Read File Content
|
||||
content = new String(Files.readAllBytes(file.toPath()));
|
||||
} catch (IOException ie) {
|
||||
ie.printStackTrace();
|
||||
}
|
||||
return content;
|
||||
}
|
||||
|
||||
@GetMapping("/file2a")
|
||||
//GOOD: Get resource from ResourceUtils with input path validation
|
||||
public String getFileContent2a(@RequestParam(name="fileName") String fileName) {
|
||||
String content = null;
|
||||
|
||||
if (fileName.startsWith("/safe_dir") && !fileName.contains("..")) {
|
||||
try {
|
||||
File file = ResourceUtils.getFile(fileName);
|
||||
//Read File Content
|
||||
content = new String(Files.readAllBytes(file.toPath()));
|
||||
} catch (IOException ie) {
|
||||
ie.printStackTrace();
|
||||
}
|
||||
}
|
||||
return content;
|
||||
}
|
||||
|
||||
@Autowired
|
||||
ResourceLoader resourceLoader;
|
||||
|
||||
@GetMapping("/file3")
|
||||
//BAD: Get resource from ResourceLoader (same as application context) without input validation
|
||||
// Note it is not detected without the generic `resource.getInputStream()` check
|
||||
public String getFileContent3(@RequestParam(name="fileName") String fileName) {
|
||||
String content = null;
|
||||
|
||||
try {
|
||||
// A request such as the following can disclose source code and system configuration
|
||||
// fileName=/WEB-INF/views/page.jsp
|
||||
// fileName=/WEB-INF/classes/com/example/package/SampleController.class
|
||||
// fileName=file:/etc/hosts
|
||||
Resource resource = resourceLoader.getResource(fileName);
|
||||
|
||||
char[] buffer = new char[4096];
|
||||
StringBuilder out = new StringBuilder();
|
||||
|
||||
Reader in = new InputStreamReader(resource.getInputStream(), "UTF-8");
|
||||
for (int numRead; (numRead = in.read(buffer, 0, buffer.length)) > 0; ) {
|
||||
out.append(buffer, 0, numRead);
|
||||
}
|
||||
content = out.toString();
|
||||
} catch (IOException ie) {
|
||||
ie.printStackTrace();
|
||||
}
|
||||
return content;
|
||||
}
|
||||
|
||||
@GetMapping("/file3a")
|
||||
//GOOD: Get resource from ResourceLoader (same as application context) with input path validation
|
||||
public String getFileContent3a(@RequestParam(name="fileName") String fileName) {
|
||||
String content = null;
|
||||
|
||||
if (fileName.startsWith("/safe_dir") && !fileName.contains("..")) {
|
||||
try {
|
||||
Resource resource = resourceLoader.getResource(fileName);
|
||||
|
||||
char[] buffer = new char[4096];
|
||||
StringBuilder out = new StringBuilder();
|
||||
|
||||
Reader in = new InputStreamReader(resource.getInputStream(), "UTF-8");
|
||||
for (int numRead; (numRead = in.read(buffer, 0, buffer.length)) > 0; ) {
|
||||
out.append(buffer, 0, numRead);
|
||||
}
|
||||
content = out.toString();
|
||||
} catch (IOException ie) {
|
||||
ie.printStackTrace();
|
||||
}
|
||||
}
|
||||
return content;
|
||||
}
|
||||
}
|
||||
@@ -1,52 +0,0 @@
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.Filter;
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.FilterConfig;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
// @WebFilter("/*")
|
||||
public class UnsafeRequestPath implements Filter {
|
||||
private static final String BASE_PATH = "/pages";
|
||||
|
||||
@Override
|
||||
// BAD: Request dispatcher from servlet path without check
|
||||
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
|
||||
throws IOException, ServletException {
|
||||
String path = ((HttpServletRequest) request).getServletPath();
|
||||
// A sample payload "/%57EB-INF/web.xml" can bypass this `startsWith` check
|
||||
if (path != null && !path.startsWith("/WEB-INF")) {
|
||||
request.getRequestDispatcher(path).forward(request, response);
|
||||
} else {
|
||||
chain.doFilter(request, response);
|
||||
}
|
||||
}
|
||||
|
||||
// GOOD: Request dispatcher from servlet path with check
|
||||
public void doFilter2(ServletRequest request, ServletResponse response, FilterChain chain)
|
||||
throws IOException, ServletException {
|
||||
String path = ((HttpServletRequest) request).getServletPath();
|
||||
|
||||
if (path.startsWith(BASE_PATH) && !path.contains("..")) {
|
||||
request.getRequestDispatcher(path).forward(request, response);
|
||||
} else {
|
||||
chain.doFilter(request, response);
|
||||
}
|
||||
}
|
||||
|
||||
// GOOD: Request dispatcher from servlet path with whitelisted string comparison
|
||||
public void doFilter3(ServletRequest request, ServletResponse response, FilterChain chain)
|
||||
throws IOException, ServletException {
|
||||
String path = ((HttpServletRequest) request).getServletPath();
|
||||
|
||||
if (path.equals("/comaction")) {
|
||||
request.getRequestDispatcher(path).forward(request, response);
|
||||
} else {
|
||||
chain.doFilter(request, response);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,270 +0,0 @@
|
||||
package com.example;
|
||||
|
||||
import java.io.InputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.PrintWriter;
|
||||
import java.nio.file.Path;
|
||||
import java.nio.file.Paths;
|
||||
import java.net.URI;
|
||||
import java.net.URL;
|
||||
import java.net.URISyntaxException;
|
||||
|
||||
import javax.servlet.http.HttpServlet;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.servlet.ServletOutputStream;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.ServletConfig;
|
||||
import javax.servlet.ServletContext;
|
||||
|
||||
import io.undertow.server.handlers.resource.FileResourceManager;
|
||||
import io.undertow.server.handlers.resource.Resource;
|
||||
import org.jboss.vfs.VFS;
|
||||
import org.jboss.vfs.VirtualFile;
|
||||
|
||||
public class UnsafeResourceGet extends HttpServlet {
|
||||
private static final String BASE_PATH = "/pages";
|
||||
|
||||
@Override
|
||||
// BAD: getResource constructed from `ServletContext` without input validation
|
||||
protected void doGet(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String requestUrl = request.getParameter("requestURL");
|
||||
ServletOutputStream out = response.getOutputStream();
|
||||
|
||||
ServletConfig cfg = getServletConfig();
|
||||
ServletContext sc = cfg.getServletContext();
|
||||
|
||||
// A sample request /fake.jsp/../WEB-INF/web.xml can load the web.xml file
|
||||
URL url = sc.getResource(requestUrl);
|
||||
|
||||
InputStream in = url.openStream();
|
||||
byte[] buf = new byte[4 * 1024]; // 4K buffer
|
||||
int bytesRead;
|
||||
while ((bytesRead = in.read(buf)) != -1) {
|
||||
out.write(buf, 0, bytesRead);
|
||||
}
|
||||
}
|
||||
|
||||
// GOOD: getResource constructed from `ServletContext` with input validation
|
||||
protected void doGetGood(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String requestUrl = request.getParameter("requestURL");
|
||||
ServletOutputStream out = response.getOutputStream();
|
||||
|
||||
ServletConfig cfg = getServletConfig();
|
||||
ServletContext sc = cfg.getServletContext();
|
||||
|
||||
Path path = Paths.get(requestUrl).normalize().toRealPath();
|
||||
if (path.startsWith(BASE_PATH)) {
|
||||
URL url = sc.getResource(path.toString());
|
||||
|
||||
InputStream in = url.openStream();
|
||||
byte[] buf = new byte[4 * 1024]; // 4K buffer
|
||||
int bytesRead;
|
||||
while ((bytesRead = in.read(buf)) != -1) {
|
||||
out.write(buf, 0, bytesRead);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// GOOD: getResource constructed from `ServletContext` with null check only
|
||||
protected void doGetGood2(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String requestUrl = request.getParameter("requestURL");
|
||||
PrintWriter writer = response.getWriter();
|
||||
|
||||
ServletConfig cfg = getServletConfig();
|
||||
ServletContext sc = cfg.getServletContext();
|
||||
|
||||
// A sample request /fake.jsp/../WEB-INF/web.xml can load the web.xml file
|
||||
URL url = sc.getResource(requestUrl);
|
||||
if (url == null) {
|
||||
writer.println("Requested source not found");
|
||||
}
|
||||
}
|
||||
|
||||
// GOOD: getResource constructed from `ServletContext` with `equals` check
|
||||
protected void doGetGood3(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String requestUrl = request.getParameter("requestURL");
|
||||
ServletOutputStream out = response.getOutputStream();
|
||||
|
||||
ServletContext sc = request.getServletContext();
|
||||
|
||||
if (requestUrl.equals("/public/crossdomain.xml")) {
|
||||
URL url = sc.getResource(requestUrl);
|
||||
|
||||
InputStream in = url.openStream();
|
||||
byte[] buf = new byte[4 * 1024]; // 4K buffer
|
||||
int bytesRead;
|
||||
while ((bytesRead = in.read(buf)) != -1) {
|
||||
out.write(buf, 0, bytesRead);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
// BAD: getResourceAsStream constructed from `ServletContext` without input validation
|
||||
protected void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String requestPath = request.getParameter("requestPath");
|
||||
ServletOutputStream out = response.getOutputStream();
|
||||
|
||||
// A sample request /fake.jsp/../WEB-INF/web.xml can load the web.xml file
|
||||
InputStream in = request.getServletContext().getResourceAsStream(requestPath);
|
||||
byte[] buf = new byte[4 * 1024]; // 4K buffer
|
||||
int bytesRead;
|
||||
while ((bytesRead = in.read(buf)) != -1) {
|
||||
out.write(buf, 0, bytesRead);
|
||||
}
|
||||
}
|
||||
|
||||
// GOOD: getResourceAsStream constructed from `ServletContext` with input validation
|
||||
protected void doPostGood(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String requestPath = request.getParameter("requestPath");
|
||||
ServletOutputStream out = response.getOutputStream();
|
||||
|
||||
if (!requestPath.contains("..") && requestPath.startsWith("/trusted")) {
|
||||
InputStream in = request.getServletContext().getResourceAsStream(requestPath);
|
||||
byte[] buf = new byte[4 * 1024]; // 4K buffer
|
||||
int bytesRead;
|
||||
while ((bytesRead = in.read(buf)) != -1) {
|
||||
out.write(buf, 0, bytesRead);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
// BAD: getResource constructed from `Class` without input validation
|
||||
protected void doHead(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String requestUrl = request.getParameter("requestURL");
|
||||
ServletOutputStream out = response.getOutputStream();
|
||||
|
||||
// A sample request /fake.jsp/../../../WEB-INF/web.xml can load the web.xml file
|
||||
// Note the class is in two levels of subpackages and `Class.getResource` starts from its own directory
|
||||
URL url = getClass().getResource(requestUrl);
|
||||
|
||||
InputStream in = url.openStream();
|
||||
byte[] buf = new byte[4 * 1024]; // 4K buffer
|
||||
int bytesRead;
|
||||
while ((bytesRead = in.read(buf)) != -1) {
|
||||
out.write(buf, 0, bytesRead);
|
||||
}
|
||||
}
|
||||
|
||||
// GOOD: getResource constructed from `Class` with input validation
|
||||
protected void doHeadGood(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String requestUrl = request.getParameter("requestURL");
|
||||
ServletOutputStream out = response.getOutputStream();
|
||||
|
||||
Path path = Paths.get(requestUrl).normalize().toRealPath();
|
||||
if (path.startsWith(BASE_PATH)) {
|
||||
URL url = getClass().getResource(path.toString());
|
||||
|
||||
InputStream in = url.openStream();
|
||||
byte[] buf = new byte[4 * 1024]; // 4K buffer
|
||||
int bytesRead;
|
||||
while ((bytesRead = in.read(buf)) != -1) {
|
||||
out.write(buf, 0, bytesRead);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
// BAD: getResourceAsStream constructed from `ClassLoader` without input validation
|
||||
protected void doPut(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String requestPath = request.getParameter("requestPath");
|
||||
ServletOutputStream out = response.getOutputStream();
|
||||
|
||||
ServletConfig cfg = getServletConfig();
|
||||
ServletContext sc = cfg.getServletContext();
|
||||
|
||||
// A sample request /fake.jsp/../../../WEB-INF/web.xml can load the web.xml file
|
||||
// Note the class is in two levels of subpackages and `ClassLoader.getResourceAsStream` starts from its own directory
|
||||
InputStream in = getClass().getClassLoader().getResourceAsStream(requestPath);
|
||||
byte[] buf = new byte[4 * 1024]; // 4K buffer
|
||||
int bytesRead;
|
||||
while ((bytesRead = in.read(buf)) != -1) {
|
||||
out.write(buf, 0, bytesRead);
|
||||
}
|
||||
}
|
||||
|
||||
// GOOD: getResourceAsStream constructed from `ClassLoader` with input validation
|
||||
protected void doPutGood(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String requestPath = request.getParameter("requestPath");
|
||||
ServletOutputStream out = response.getOutputStream();
|
||||
|
||||
ServletConfig cfg = getServletConfig();
|
||||
ServletContext sc = cfg.getServletContext();
|
||||
|
||||
if (!requestPath.contains("..") && requestPath.startsWith("/trusted")) {
|
||||
InputStream in = getClass().getClassLoader().getResourceAsStream(requestPath);
|
||||
byte[] buf = new byte[4 * 1024]; // 4K buffer
|
||||
int bytesRead;
|
||||
while ((bytesRead = in.read(buf)) != -1) {
|
||||
out.write(buf, 0, bytesRead);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// BAD: getResource constructed from `ClassLoader` without input validation
|
||||
protected void doPutBad(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String requestUrl = request.getParameter("requestURL");
|
||||
ServletOutputStream out = response.getOutputStream();
|
||||
|
||||
// A sample request /fake.jsp/../../../WEB-INF/web.xml can load the web.xml file
|
||||
// Note the class is in two levels of subpackages and `ClassLoader.getResource` starts from its own directory
|
||||
URL url = getClass().getClassLoader().getResource(requestUrl);
|
||||
|
||||
InputStream in = url.openStream();
|
||||
byte[] buf = new byte[4 * 1024]; // 4K buffer
|
||||
int bytesRead;
|
||||
while ((bytesRead = in.read(buf)) != -1) {
|
||||
out.write(buf, 0, bytesRead);
|
||||
}
|
||||
}
|
||||
|
||||
// BAD: getResource constructed using Undertow IO without input validation
|
||||
protected void doPutBad2(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String requestPath = request.getParameter("requestPath");
|
||||
|
||||
try {
|
||||
FileResourceManager rm = new FileResourceManager(VFS.getChild(new URI("/usr/share")).getPhysicalFile());
|
||||
Resource rs = rm.getResource(requestPath);
|
||||
|
||||
VirtualFile overlay = VFS.getChild(new URI("EAP_HOME/modules/"));
|
||||
// Do file operations
|
||||
overlay.getChild(rs.getPath());
|
||||
} catch (URISyntaxException ue) {
|
||||
throw new IOException("Cannot parse the URI");
|
||||
}
|
||||
}
|
||||
|
||||
// GOOD: getResource constructed using Undertow IO with input validation
|
||||
protected void doPutGood2(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String requestPath = request.getParameter("requestPath");
|
||||
|
||||
try {
|
||||
FileResourceManager rm = new FileResourceManager(VFS.getChild(new URI("/usr/share")).getPhysicalFile());
|
||||
Resource rs = rm.getResource(requestPath);
|
||||
|
||||
VirtualFile overlay = VFS.getChild(new URI("EAP_HOME/modules/"));
|
||||
String path = rs.getPath();
|
||||
if (path.startsWith("/trusted_path") && !path.contains("..")) {
|
||||
// Do file operations
|
||||
overlay.getChild(path);
|
||||
}
|
||||
} catch (URISyntaxException ue) {
|
||||
throw new IOException("Cannot parse the URI");
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,58 +0,0 @@
|
||||
package com.example;
|
||||
|
||||
import javax.faces.context.FacesContext;
|
||||
import java.io.BufferedReader;
|
||||
import java.io.InputStream;
|
||||
import java.io.InputStreamReader;
|
||||
import java.io.IOException;
|
||||
import java.net.URL;
|
||||
import java.util.Map;
|
||||
|
||||
/** Sample class of JSF managed bean */
|
||||
public class UnsafeResourceGet2 {
|
||||
// BAD: getResourceAsStream constructed from `ExternalContext` without input validation
|
||||
public String parameterActionBad1() throws IOException {
|
||||
FacesContext fc = FacesContext.getCurrentInstance();
|
||||
Map<String, String> params = fc.getExternalContext().getRequestParameterMap();
|
||||
String loadUrl = params.get("loadUrl");
|
||||
|
||||
InputStreamReader isr = new InputStreamReader(fc.getExternalContext().getResourceAsStream(loadUrl));
|
||||
BufferedReader br = new BufferedReader(isr);
|
||||
if(br.ready()) {
|
||||
//Do Stuff
|
||||
return "result";
|
||||
}
|
||||
|
||||
return "home";
|
||||
}
|
||||
|
||||
// BAD: getResource constructed from `ExternalContext` without input validation
|
||||
public String parameterActionBad2() throws IOException {
|
||||
FacesContext fc = FacesContext.getCurrentInstance();
|
||||
Map<String, String> params = fc.getExternalContext().getRequestParameterMap();
|
||||
String loadUrl = params.get("loadUrl");
|
||||
|
||||
URL url = fc.getExternalContext().getResource(loadUrl);
|
||||
|
||||
InputStream in = url.openStream();
|
||||
//Do Stuff
|
||||
return "result";
|
||||
}
|
||||
|
||||
// GOOD: getResource constructed from `ExternalContext` with input validation
|
||||
public String parameterActionGood1() throws IOException {
|
||||
FacesContext fc = FacesContext.getCurrentInstance();
|
||||
Map<String, String> params = fc.getExternalContext().getRequestParameterMap();
|
||||
String loadUrl = params.get("loadUrl");
|
||||
|
||||
if (loadUrl.equals("/public/crossdomain.xml")) {
|
||||
URL url = fc.getExternalContext().getResource(loadUrl);
|
||||
|
||||
InputStream in = url.openStream();
|
||||
//Do Stuff
|
||||
return "result";
|
||||
}
|
||||
|
||||
return "home";
|
||||
}
|
||||
}
|
||||
@@ -1,131 +0,0 @@
|
||||
import java.io.IOException;
|
||||
import java.net.URLDecoder;
|
||||
import java.io.File;
|
||||
import java.nio.file.Path;
|
||||
import java.nio.file.Paths;
|
||||
|
||||
import javax.servlet.http.HttpServlet;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.servlet.RequestDispatcher;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.ServletConfig;
|
||||
import javax.servlet.ServletContext;
|
||||
|
||||
public class UnsafeServletRequestDispatch extends HttpServlet {
|
||||
private static final String BASE_PATH = "/pages";
|
||||
|
||||
@Override
|
||||
// BAD: Request dispatcher constructed from `ServletContext` without input validation
|
||||
protected void doGet(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String action = request.getParameter("action");
|
||||
String returnURL = request.getParameter("returnURL");
|
||||
|
||||
ServletConfig cfg = getServletConfig();
|
||||
if (action.equals("Login")) {
|
||||
ServletContext sc = cfg.getServletContext();
|
||||
RequestDispatcher rd = sc.getRequestDispatcher("/Login.jsp");
|
||||
rd.forward(request, response);
|
||||
} else {
|
||||
ServletContext sc = cfg.getServletContext();
|
||||
RequestDispatcher rd = sc.getRequestDispatcher(returnURL);
|
||||
rd.forward(request, response);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
// BAD: Request dispatcher constructed from `HttpServletRequest` without input validation
|
||||
protected void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String action = request.getParameter("action");
|
||||
String returnURL = request.getParameter("returnURL");
|
||||
|
||||
if (action.equals("Login")) {
|
||||
RequestDispatcher rd = request.getRequestDispatcher("/Login.jsp");
|
||||
rd.forward(request, response);
|
||||
} else {
|
||||
RequestDispatcher rd = request.getRequestDispatcher(returnURL);
|
||||
rd.forward(request, response);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
// GOOD: Request dispatcher with a whitelisted URI
|
||||
protected void doPut(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String action = request.getParameter("action");
|
||||
|
||||
if (action.equals("Login")) {
|
||||
RequestDispatcher rd = request.getRequestDispatcher("/Login.jsp");
|
||||
rd.forward(request, response);
|
||||
} else if (action.equals("Register")) {
|
||||
RequestDispatcher rd = request.getRequestDispatcher("/Register.jsp");
|
||||
rd.forward(request, response);
|
||||
}
|
||||
}
|
||||
|
||||
// BAD: Request dispatcher without path traversal check
|
||||
protected void doHead2(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String path = request.getParameter("path");
|
||||
|
||||
// A sample payload "/pages/welcome.jsp/../WEB-INF/web.xml" can bypass the `startsWith` check
|
||||
// The payload "/pages/welcome.jsp/../../%57EB-INF/web.xml" can bypass the check as well since RequestDispatcher will decode `%57` as `W`
|
||||
if (path.startsWith(BASE_PATH)) {
|
||||
request.getServletContext().getRequestDispatcher(path).include(request, response);
|
||||
}
|
||||
}
|
||||
|
||||
// GOOD: Request dispatcher with path traversal check
|
||||
protected void doHead3(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String path = request.getParameter("path");
|
||||
|
||||
if (path.startsWith(BASE_PATH) && !path.contains("..")) {
|
||||
request.getServletContext().getRequestDispatcher(path).include(request, response);
|
||||
}
|
||||
}
|
||||
|
||||
// GOOD: Request dispatcher with path normalization and comparison
|
||||
protected void doHead4(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String path = request.getParameter("path");
|
||||
Path requestedPath = Paths.get(BASE_PATH).resolve(path).normalize();
|
||||
|
||||
// /pages/welcome.jsp/../../WEB-INF/web.xml becomes /WEB-INF/web.xml
|
||||
// /pages/welcome.jsp/../../%57EB-INF/web.xml becomes /%57EB-INF/web.xml
|
||||
if (requestedPath.startsWith(BASE_PATH)) {
|
||||
request.getServletContext().getRequestDispatcher(requestedPath.toString()).forward(request, response);
|
||||
}
|
||||
}
|
||||
|
||||
// FN: Request dispatcher with negation check and path normalization, but without URL decoding
|
||||
// When promoting this query, consider using FlowStates to make `getRequestDispatcher` a sink
|
||||
// only if a URL-decoding step has NOT been crossed (i.e. make URLDecoder.decode change the
|
||||
// state to a different value than the one required at the sink).
|
||||
protected void doHead5(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String path = request.getParameter("path");
|
||||
Path requestedPath = Paths.get(BASE_PATH).resolve(path).normalize();
|
||||
|
||||
if (!requestedPath.startsWith("/WEB-INF") && !requestedPath.startsWith("/META-INF")) {
|
||||
request.getServletContext().getRequestDispatcher(requestedPath.toString()).forward(request, response);
|
||||
}
|
||||
}
|
||||
|
||||
// GOOD: Request dispatcher with path traversal check and URL decoding
|
||||
protected void doHead6(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String path = request.getParameter("path");
|
||||
boolean hasEncoding = path.contains("%");
|
||||
while (hasEncoding) {
|
||||
path = URLDecoder.decode(path, "UTF-8");
|
||||
hasEncoding = path.contains("%");
|
||||
}
|
||||
|
||||
if (!path.startsWith("/WEB-INF/") && !path.contains("..")) {
|
||||
request.getServletContext().getRequestDispatcher(path).include(request, response);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,129 +0,0 @@
|
||||
edges
|
||||
| UnsafeLoadSpringResource.java:27:32:27:77 | fileName : String | UnsafeLoadSpringResource.java:31:49:31:56 | fileName : String | provenance | |
|
||||
| UnsafeLoadSpringResource.java:31:27:31:57 | new ClassPathResource(...) : ClassPathResource | UnsafeLoadSpringResource.java:35:31:35:33 | clr | provenance | |
|
||||
| UnsafeLoadSpringResource.java:31:49:31:56 | fileName : String | UnsafeLoadSpringResource.java:31:27:31:57 | new ClassPathResource(...) : ClassPathResource | provenance | |
|
||||
| UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | UnsafeLoadSpringResource.java:76:38:76:45 | fileName | provenance | |
|
||||
| UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | UnsafeLoadSpringResource.java:116:51:116:58 | fileName | provenance | |
|
||||
| UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | UnsafeRequestPath.java:23:33:23:36 | path | provenance | |
|
||||
| UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:17:20:17:25 | params : Map | provenance | |
|
||||
| UnsafeResourceGet2.java:17:20:17:25 | params : Map | UnsafeResourceGet2.java:17:20:17:40 | get(...) : String | provenance | |
|
||||
| UnsafeResourceGet2.java:17:20:17:40 | get(...) : String | UnsafeResourceGet2.java:19:93:19:99 | loadUrl | provenance | |
|
||||
| UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:33:20:33:25 | params : Map | provenance | |
|
||||
| UnsafeResourceGet2.java:33:20:33:25 | params : Map | UnsafeResourceGet2.java:33:20:33:40 | get(...) : String | provenance | |
|
||||
| UnsafeResourceGet2.java:33:20:33:40 | get(...) : String | UnsafeResourceGet2.java:35:49:35:55 | loadUrl : String | provenance | |
|
||||
| UnsafeResourceGet2.java:35:13:35:56 | getResource(...) : URL | UnsafeResourceGet2.java:37:20:37:22 | url | provenance | |
|
||||
| UnsafeResourceGet2.java:35:49:35:55 | loadUrl : String | UnsafeResourceGet2.java:35:13:35:56 | getResource(...) : URL | provenance | |
|
||||
| UnsafeResourceGet.java:32:23:32:56 | getParameter(...) : String | UnsafeResourceGet.java:39:28:39:37 | requestUrl : String | provenance | |
|
||||
| UnsafeResourceGet.java:39:13:39:38 | getResource(...) : URL | UnsafeResourceGet.java:41:20:41:22 | url | provenance | |
|
||||
| UnsafeResourceGet.java:39:28:39:37 | requestUrl : String | UnsafeResourceGet.java:39:13:39:38 | getResource(...) : URL | provenance | |
|
||||
| UnsafeResourceGet.java:111:24:111:58 | getParameter(...) : String | UnsafeResourceGet.java:115:68:115:78 | requestPath | provenance | |
|
||||
| UnsafeResourceGet.java:143:23:143:56 | getParameter(...) : String | UnsafeResourceGet.java:148:36:148:45 | requestUrl : String | provenance | |
|
||||
| UnsafeResourceGet.java:148:13:148:46 | getResource(...) : URL | UnsafeResourceGet.java:150:20:150:22 | url | provenance | |
|
||||
| UnsafeResourceGet.java:148:36:148:45 | requestUrl : String | UnsafeResourceGet.java:148:13:148:46 | getResource(...) : URL | provenance | |
|
||||
| UnsafeResourceGet.java:181:24:181:58 | getParameter(...) : String | UnsafeResourceGet.java:189:68:189:78 | requestPath | provenance | |
|
||||
| UnsafeResourceGet.java:219:23:219:56 | getParameter(...) : String | UnsafeResourceGet.java:224:53:224:62 | requestUrl : String | provenance | |
|
||||
| UnsafeResourceGet.java:224:13:224:63 | getResource(...) : URL | UnsafeResourceGet.java:226:20:226:22 | url | provenance | |
|
||||
| UnsafeResourceGet.java:224:53:224:62 | requestUrl : String | UnsafeResourceGet.java:224:13:224:63 | getResource(...) : URL | provenance | |
|
||||
| UnsafeResourceGet.java:237:24:237:58 | getParameter(...) : String | UnsafeResourceGet.java:241:33:241:43 | requestPath : String | provenance | |
|
||||
| UnsafeResourceGet.java:241:18:241:44 | getResource(...) : Resource | UnsafeResourceGet.java:245:21:245:22 | rs : Resource | provenance | |
|
||||
| UnsafeResourceGet.java:241:33:241:43 | requestPath : String | UnsafeResourceGet.java:241:18:241:44 | getResource(...) : Resource | provenance | |
|
||||
| UnsafeResourceGet.java:245:21:245:22 | rs : Resource | UnsafeResourceGet.java:245:21:245:32 | getPath(...) | provenance | |
|
||||
| UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL | provenance | |
|
||||
| UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:48:56:48:64 | returnURL | provenance | |
|
||||
| UnsafeServletRequestDispatch.java:71:17:71:44 | getParameter(...) : String | UnsafeServletRequestDispatch.java:76:53:76:56 | path | provenance | |
|
||||
| UnsafeUrlForward.java:13:27:13:36 | url : String | UnsafeUrlForward.java:14:27:14:29 | url | provenance | |
|
||||
| UnsafeUrlForward.java:18:27:18:36 | url : String | UnsafeUrlForward.java:20:28:20:30 | url | provenance | |
|
||||
| UnsafeUrlForward.java:25:21:25:30 | url : String | UnsafeUrlForward.java:26:23:26:25 | url | provenance | |
|
||||
| UnsafeUrlForward.java:30:27:30:36 | url : String | UnsafeUrlForward.java:31:48:31:63 | ... + ... | provenance | |
|
||||
| UnsafeUrlForward.java:30:27:30:36 | url : String | UnsafeUrlForward.java:31:61:31:63 | url | provenance | |
|
||||
| UnsafeUrlForward.java:36:19:36:28 | url : String | UnsafeUrlForward.java:38:33:38:35 | url | provenance | |
|
||||
| UnsafeUrlForward.java:47:19:47:28 | url : String | UnsafeUrlForward.java:49:33:49:62 | ... + ... | provenance | |
|
||||
| UnsafeUrlForward.java:58:19:58:28 | url : String | UnsafeUrlForward.java:60:33:60:62 | ... + ... | provenance | |
|
||||
nodes
|
||||
| UnsafeLoadSpringResource.java:27:32:27:77 | fileName : String | semmle.label | fileName : String |
|
||||
| UnsafeLoadSpringResource.java:31:27:31:57 | new ClassPathResource(...) : ClassPathResource | semmle.label | new ClassPathResource(...) : ClassPathResource |
|
||||
| UnsafeLoadSpringResource.java:31:49:31:56 | fileName : String | semmle.label | fileName : String |
|
||||
| UnsafeLoadSpringResource.java:35:31:35:33 | clr | semmle.label | clr |
|
||||
| UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | semmle.label | fileName : String |
|
||||
| UnsafeLoadSpringResource.java:76:38:76:45 | fileName | semmle.label | fileName |
|
||||
| UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | semmle.label | fileName : String |
|
||||
| UnsafeLoadSpringResource.java:116:51:116:58 | fileName | semmle.label | fileName |
|
||||
| UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | semmle.label | getServletPath(...) : String |
|
||||
| UnsafeRequestPath.java:23:33:23:36 | path | semmle.label | path |
|
||||
| UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map |
|
||||
| UnsafeResourceGet2.java:17:20:17:25 | params : Map | semmle.label | params : Map |
|
||||
| UnsafeResourceGet2.java:17:20:17:40 | get(...) : String | semmle.label | get(...) : String |
|
||||
| UnsafeResourceGet2.java:19:93:19:99 | loadUrl | semmle.label | loadUrl |
|
||||
| UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map |
|
||||
| UnsafeResourceGet2.java:33:20:33:25 | params : Map | semmle.label | params : Map |
|
||||
| UnsafeResourceGet2.java:33:20:33:40 | get(...) : String | semmle.label | get(...) : String |
|
||||
| UnsafeResourceGet2.java:35:13:35:56 | getResource(...) : URL | semmle.label | getResource(...) : URL |
|
||||
| UnsafeResourceGet2.java:35:49:35:55 | loadUrl : String | semmle.label | loadUrl : String |
|
||||
| UnsafeResourceGet2.java:37:20:37:22 | url | semmle.label | url |
|
||||
| UnsafeResourceGet.java:32:23:32:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| UnsafeResourceGet.java:39:13:39:38 | getResource(...) : URL | semmle.label | getResource(...) : URL |
|
||||
| UnsafeResourceGet.java:39:28:39:37 | requestUrl : String | semmle.label | requestUrl : String |
|
||||
| UnsafeResourceGet.java:41:20:41:22 | url | semmle.label | url |
|
||||
| UnsafeResourceGet.java:111:24:111:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| UnsafeResourceGet.java:115:68:115:78 | requestPath | semmle.label | requestPath |
|
||||
| UnsafeResourceGet.java:143:23:143:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| UnsafeResourceGet.java:148:13:148:46 | getResource(...) : URL | semmle.label | getResource(...) : URL |
|
||||
| UnsafeResourceGet.java:148:36:148:45 | requestUrl : String | semmle.label | requestUrl : String |
|
||||
| UnsafeResourceGet.java:150:20:150:22 | url | semmle.label | url |
|
||||
| UnsafeResourceGet.java:181:24:181:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| UnsafeResourceGet.java:189:68:189:78 | requestPath | semmle.label | requestPath |
|
||||
| UnsafeResourceGet.java:219:23:219:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| UnsafeResourceGet.java:224:13:224:63 | getResource(...) : URL | semmle.label | getResource(...) : URL |
|
||||
| UnsafeResourceGet.java:224:53:224:62 | requestUrl : String | semmle.label | requestUrl : String |
|
||||
| UnsafeResourceGet.java:226:20:226:22 | url | semmle.label | url |
|
||||
| UnsafeResourceGet.java:237:24:237:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| UnsafeResourceGet.java:241:18:241:44 | getResource(...) : Resource | semmle.label | getResource(...) : Resource |
|
||||
| UnsafeResourceGet.java:241:33:241:43 | requestPath : String | semmle.label | requestPath : String |
|
||||
| UnsafeResourceGet.java:245:21:245:22 | rs : Resource | semmle.label | rs : Resource |
|
||||
| UnsafeResourceGet.java:245:21:245:32 | getPath(...) | semmle.label | getPath(...) |
|
||||
| UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL | semmle.label | returnURL |
|
||||
| UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| UnsafeServletRequestDispatch.java:48:56:48:64 | returnURL | semmle.label | returnURL |
|
||||
| UnsafeServletRequestDispatch.java:71:17:71:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| UnsafeServletRequestDispatch.java:76:53:76:56 | path | semmle.label | path |
|
||||
| UnsafeUrlForward.java:13:27:13:36 | url : String | semmle.label | url : String |
|
||||
| UnsafeUrlForward.java:14:27:14:29 | url | semmle.label | url |
|
||||
| UnsafeUrlForward.java:18:27:18:36 | url : String | semmle.label | url : String |
|
||||
| UnsafeUrlForward.java:20:28:20:30 | url | semmle.label | url |
|
||||
| UnsafeUrlForward.java:25:21:25:30 | url : String | semmle.label | url : String |
|
||||
| UnsafeUrlForward.java:26:23:26:25 | url | semmle.label | url |
|
||||
| UnsafeUrlForward.java:30:27:30:36 | url : String | semmle.label | url : String |
|
||||
| UnsafeUrlForward.java:31:48:31:63 | ... + ... | semmle.label | ... + ... |
|
||||
| UnsafeUrlForward.java:31:61:31:63 | url | semmle.label | url |
|
||||
| UnsafeUrlForward.java:36:19:36:28 | url : String | semmle.label | url : String |
|
||||
| UnsafeUrlForward.java:38:33:38:35 | url | semmle.label | url |
|
||||
| UnsafeUrlForward.java:47:19:47:28 | url : String | semmle.label | url : String |
|
||||
| UnsafeUrlForward.java:49:33:49:62 | ... + ... | semmle.label | ... + ... |
|
||||
| UnsafeUrlForward.java:58:19:58:28 | url : String | semmle.label | url : String |
|
||||
| UnsafeUrlForward.java:60:33:60:62 | ... + ... | semmle.label | ... + ... |
|
||||
subpaths
|
||||
#select
|
||||
| UnsafeLoadSpringResource.java:35:31:35:33 | clr | UnsafeLoadSpringResource.java:27:32:27:77 | fileName : String | UnsafeLoadSpringResource.java:35:31:35:33 | clr | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:27:32:27:77 | fileName | user-provided value |
|
||||
| UnsafeLoadSpringResource.java:76:38:76:45 | fileName | UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | UnsafeLoadSpringResource.java:76:38:76:45 | fileName | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:68:32:68:77 | fileName | user-provided value |
|
||||
| UnsafeLoadSpringResource.java:116:51:116:58 | fileName | UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | UnsafeLoadSpringResource.java:116:51:116:58 | fileName | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:108:32:108:77 | fileName | user-provided value |
|
||||
| UnsafeRequestPath.java:23:33:23:36 | path | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | UnsafeRequestPath.java:23:33:23:36 | path | Potentially untrusted URL forward due to $@. | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) | user-provided value |
|
||||
| UnsafeResourceGet2.java:19:93:19:99 | loadUrl | UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:19:93:19:99 | loadUrl | Potentially untrusted URL forward due to $@. | UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) | user-provided value |
|
||||
| UnsafeResourceGet2.java:37:20:37:22 | url | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:37:20:37:22 | url | Potentially untrusted URL forward due to $@. | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) | user-provided value |
|
||||
| UnsafeResourceGet.java:41:20:41:22 | url | UnsafeResourceGet.java:32:23:32:56 | getParameter(...) : String | UnsafeResourceGet.java:41:20:41:22 | url | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:32:23:32:56 | getParameter(...) | user-provided value |
|
||||
| UnsafeResourceGet.java:115:68:115:78 | requestPath | UnsafeResourceGet.java:111:24:111:58 | getParameter(...) : String | UnsafeResourceGet.java:115:68:115:78 | requestPath | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:111:24:111:58 | getParameter(...) | user-provided value |
|
||||
| UnsafeResourceGet.java:150:20:150:22 | url | UnsafeResourceGet.java:143:23:143:56 | getParameter(...) : String | UnsafeResourceGet.java:150:20:150:22 | url | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:143:23:143:56 | getParameter(...) | user-provided value |
|
||||
| UnsafeResourceGet.java:189:68:189:78 | requestPath | UnsafeResourceGet.java:181:24:181:58 | getParameter(...) : String | UnsafeResourceGet.java:189:68:189:78 | requestPath | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:181:24:181:58 | getParameter(...) | user-provided value |
|
||||
| UnsafeResourceGet.java:226:20:226:22 | url | UnsafeResourceGet.java:219:23:219:56 | getParameter(...) : String | UnsafeResourceGet.java:226:20:226:22 | url | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:219:23:219:56 | getParameter(...) | user-provided value |
|
||||
| UnsafeResourceGet.java:245:21:245:32 | getPath(...) | UnsafeResourceGet.java:237:24:237:58 | getParameter(...) : String | UnsafeResourceGet.java:245:21:245:32 | getPath(...) | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:237:24:237:58 | getParameter(...) | user-provided value |
|
||||
| UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL | UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL | Potentially untrusted URL forward due to $@. | UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) | user-provided value |
|
||||
| UnsafeServletRequestDispatch.java:48:56:48:64 | returnURL | UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:48:56:48:64 | returnURL | Potentially untrusted URL forward due to $@. | UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) | user-provided value |
|
||||
| UnsafeServletRequestDispatch.java:76:53:76:56 | path | UnsafeServletRequestDispatch.java:71:17:71:44 | getParameter(...) : String | UnsafeServletRequestDispatch.java:76:53:76:56 | path | Potentially untrusted URL forward due to $@. | UnsafeServletRequestDispatch.java:71:17:71:44 | getParameter(...) | user-provided value |
|
||||
| UnsafeUrlForward.java:14:27:14:29 | url | UnsafeUrlForward.java:13:27:13:36 | url : String | UnsafeUrlForward.java:14:27:14:29 | url | Potentially untrusted URL forward due to $@. | UnsafeUrlForward.java:13:27:13:36 | url | user-provided value |
|
||||
| UnsafeUrlForward.java:20:28:20:30 | url | UnsafeUrlForward.java:18:27:18:36 | url : String | UnsafeUrlForward.java:20:28:20:30 | url | Potentially untrusted URL forward due to $@. | UnsafeUrlForward.java:18:27:18:36 | url | user-provided value |
|
||||
| UnsafeUrlForward.java:26:23:26:25 | url | UnsafeUrlForward.java:25:21:25:30 | url : String | UnsafeUrlForward.java:26:23:26:25 | url | Potentially untrusted URL forward due to $@. | UnsafeUrlForward.java:25:21:25:30 | url | user-provided value |
|
||||
| UnsafeUrlForward.java:31:48:31:63 | ... + ... | UnsafeUrlForward.java:30:27:30:36 | url : String | UnsafeUrlForward.java:31:48:31:63 | ... + ... | Potentially untrusted URL forward due to $@. | UnsafeUrlForward.java:30:27:30:36 | url | user-provided value |
|
||||
| UnsafeUrlForward.java:31:61:31:63 | url | UnsafeUrlForward.java:30:27:30:36 | url : String | UnsafeUrlForward.java:31:61:31:63 | url | Potentially untrusted URL forward due to $@. | UnsafeUrlForward.java:30:27:30:36 | url | user-provided value |
|
||||
| UnsafeUrlForward.java:38:33:38:35 | url | UnsafeUrlForward.java:36:19:36:28 | url : String | UnsafeUrlForward.java:38:33:38:35 | url | Potentially untrusted URL forward due to $@. | UnsafeUrlForward.java:36:19:36:28 | url | user-provided value |
|
||||
| UnsafeUrlForward.java:49:33:49:62 | ... + ... | UnsafeUrlForward.java:47:19:47:28 | url : String | UnsafeUrlForward.java:49:33:49:62 | ... + ... | Potentially untrusted URL forward due to $@. | UnsafeUrlForward.java:47:19:47:28 | url | user-provided value |
|
||||
| UnsafeUrlForward.java:60:33:60:62 | ... + ... | UnsafeUrlForward.java:58:19:58:28 | url : String | UnsafeUrlForward.java:60:33:60:62 | ... + ... | Potentially untrusted URL forward due to $@. | UnsafeUrlForward.java:58:19:58:28 | url | user-provided value |
|
||||
@@ -1,78 +0,0 @@
|
||||
import java.io.IOException;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.servlet.ModelAndView;
|
||||
|
||||
@Controller
|
||||
public class UnsafeUrlForward {
|
||||
|
||||
@GetMapping("/bad1")
|
||||
public ModelAndView bad1(String url) {
|
||||
return new ModelAndView(url);
|
||||
}
|
||||
|
||||
@GetMapping("/bad2")
|
||||
public ModelAndView bad2(String url) {
|
||||
ModelAndView modelAndView = new ModelAndView();
|
||||
modelAndView.setViewName(url);
|
||||
return modelAndView;
|
||||
}
|
||||
|
||||
@GetMapping("/bad3")
|
||||
public String bad3(String url) {
|
||||
return "forward:" + url + "/swagger-ui/index.html";
|
||||
}
|
||||
|
||||
@GetMapping("/bad4")
|
||||
public ModelAndView bad4(String url) {
|
||||
ModelAndView modelAndView = new ModelAndView("forward:" + url);
|
||||
return modelAndView;
|
||||
}
|
||||
|
||||
@GetMapping("/bad5")
|
||||
public void bad5(String url, HttpServletRequest request, HttpServletResponse response) {
|
||||
try {
|
||||
request.getRequestDispatcher(url).include(request, response);
|
||||
} catch (ServletException e) {
|
||||
e.printStackTrace();
|
||||
} catch (IOException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
@GetMapping("/bad6")
|
||||
public void bad6(String url, HttpServletRequest request, HttpServletResponse response) {
|
||||
try {
|
||||
request.getRequestDispatcher("/WEB-INF/jsp/" + url + ".jsp").include(request, response);
|
||||
} catch (ServletException e) {
|
||||
e.printStackTrace();
|
||||
} catch (IOException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
@GetMapping("/bad7")
|
||||
public void bad7(String url, HttpServletRequest request, HttpServletResponse response) {
|
||||
try {
|
||||
request.getRequestDispatcher("/WEB-INF/jsp/" + url + ".jsp").forward(request, response);
|
||||
} catch (ServletException e) {
|
||||
e.printStackTrace();
|
||||
} catch (IOException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
@GetMapping("/good1")
|
||||
public void good1(String url, HttpServletRequest request, HttpServletResponse response) {
|
||||
try {
|
||||
request.getRequestDispatcher("/index.jsp?token=" + url).forward(request, response);
|
||||
} catch (ServletException e) {
|
||||
e.printStackTrace();
|
||||
} catch (IOException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
|
||||
@@ -1 +0,0 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.3.8/:${testdir}/../../../../stubs/javax-faces-2.3/:${testdir}/../../../../stubs/undertow-io-2.2/:${testdir}/../../../../stubs/jboss-vfs-3.2/:${testdir}/../../../../stubs/springframework-5.3.8/
|
||||
Reference in New Issue
Block a user