Merge pull request #14854 from jcogs33/jcogs33/unsafe-url-forward-promotion

Java: Promote Unsafe URL Forward query from experimental
2026-04-29 02:35:15 +02:00 · 2024-03-29 16:34:06 -04:00
parent 5b1cae5fc2 2f8c4df309
commit d889e3cf98
42 changed files with 758 additions and 1307 deletions
--- a/java/ql/src/Security/CWE/CWE-552/UrlForward.java
+++ b/java/ql/src/Security/CWE/CWE-552/UrlForward.java
@@ -0,0 +1,17 @@
+public class UrlForward extends HttpServlet {
+	private static final String VALID_FORWARD = "https://cwe.mitre.org/data/definitions/552.html";
+
+	protected void doGet(HttpServletRequest request, HttpServletResponse response)
+			throws ServletException, IOException {
+		ServletConfig cfg = getServletConfig();
+		ServletContext sc = cfg.getServletContext();
+
+		// BAD: a request parameter is incorporated without validation into a URL forward
+		sc.getRequestDispatcher(request.getParameter("target")).forward(request, response);
+
+		// GOOD: the request parameter is validated against a known fixed string
+		if (VALID_FORWARD.equals(request.getParameter("target"))) {
+			sc.getRequestDispatcher(VALID_FORWARD).forward(request, response);
+		}
+	}
+}
--- a/java/ql/src/Security/CWE/CWE-552/UrlForward.qhelp
+++ b/java/ql/src/Security/CWE/CWE-552/UrlForward.qhelp
@@ -0,0 +1,36 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>Directly incorporating user input into a URL forward request without validating the input
+can cause file information disclosure by allowing an attacker to access unauthorized URLs.</p>
+
+</overview>
+<recommendation>
+
+<p>To guard against untrusted URL forwarding, you should avoid putting user input
+directly into a forwarded URL. Instead, you should maintain a list of authorized
+URLs on the server, then choose from that list based on the user input provided.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows an HTTP request parameter being used directly in a URL forward
+without validating the input, which may cause file information disclosure.
+It also shows how to remedy the problem by validating the user input against a known fixed string.
+</p>
+
+<sample src="UrlForward.java" />
+
+</example>
+<references>
+
+<li>OWASP:
+  <a href="https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html">Unvalidated Redirects and Forwards Cheat Sheet</a>.
+</li>
+
+</references>
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-552/UrlForward.ql
+++ b/java/ql/src/Security/CWE/CWE-552/UrlForward.ql
@@ -0,0 +1,21 @@
+/**
+ * @name URL forward from a remote source
+ * @description URL forward based on unvalidated user input
+ *              may cause file information disclosure.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id java/unvalidated-url-forward
+ * @tags security
+ *       external/cwe/cwe-552
+ */
+
+import java
+import semmle.code.java.security.UrlForwardQuery
+import UrlForwardFlow::PathGraph
+
+from UrlForwardFlow::PathNode source, UrlForwardFlow::PathNode sink
+where UrlForwardFlow::flowPath(source, sink)
+select sink.getNode(), source, sink, "Untrusted URL forward depends on a $@.", source.getNode(),
+  "user-provided value"