Semgrep Registry - gitlab.find_sec_bugs.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE

Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories.

Defintion

Open in Playground

rules:
  - id: find_sec_bugs.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1
    mode: taint
    pattern-sources:
      - pattern: (javax.servlet.http.HttpServletRequest $VAR).getParameter(...)
    pattern-sinks:
      - patterns:
          - pattern: new org.springframework.web.servlet.ModelAndView($FST);
          - pattern: $FST
      - patterns:
          - pattern: new org.springframework.web.servlet.ModelAndView($FST, $SND);
          - pattern: $FST
      - patterns:
          - pattern: new org.springframework.web.servlet.ModelAndView($FST, $SND, $TRD);
          - pattern: $FST
      - patterns:
          - pattern: new org.apache.struts.action.ActionForward($FST)
          - pattern: $FST
      - patterns:
          - pattern: new org.apache.struts.action.ActionForward($FST, $SND)
          - pattern: $FST
      - patterns:
          - pattern: new org.apache.struts.action.ActionForward($FST, $SND, $TRD)
          - pattern: $SND
      - patterns:
          - pattern: new org.apache.struts.action.ActionForward($FST, $SND, $TRD)
          - pattern: $TRD
      - patterns:
          - pattern-inside: |
              $ACTION = new org.apache.struts.action.ActionForward();
              ...
          - pattern: $ACTION.setPath(...)
      - patterns:
          - pattern-inside: |
              $MVC = new org.springframework.web.servlet.ModelAndView();
              ...
          - pattern: $MVC.setViewName(...);
      - patterns:
          - pattern-inside: |
              $REQ = $HTTP.getRequestDispatcher(...);
              ...
          - pattern-either:
              - pattern: $REQ.include($FST, $SND)
              - pattern: $REQ.forward($FST, $SND)
    languages:
      - java
    message: >
      Constructing a server-side redirect path with user input could allow an

      attacker to download application binaries (including application classes or

      jar files) or view arbitrary files within protected directories.
    metadata:
      category: security
      cwe: "CWE-552: Files or Directories Accessible to External Parties"
      primary_identifier: find_sec_bugs.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1
      secondary_identifiers:
        - name: Find Security Bugs-REQUESTDISPATCHER_FILE_DISCLOSURE
          type: find_sec_bugs_type
          value: REQUESTDISPATCHER_FILE_DISCLOSURE
        - name: Find Security Bugs-STRUTS_FILE_DISCLOSURE
          type: find_sec_bugs_type
          value: STRUTS_FILE_DISCLOSURE
        - name: Find Security Bugs-SPRING_FILE_DISCLOSURE
          type: find_sec_bugs_type
          value: SPRING_FILE_DISCLOSURE
      license: MIT
    severity: ERROR

gitlab.find_sec_bugs.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1

Run Locally

Run in CI

Defintion