Query PR
github/codeql#9199
Language
Java
CVE(s) ID list
CWE
CWE-552: Files or Directories Accessible to External Parties
Report
-
What is the vulnerability?
Directly incorporating user input into loading resource calls on the server side without proper validation of the input can allow any web application resource such as configuration files and source code to be disclosed.
-
How does the vulnerability work?
t is very common that Java Spring applications load requested resources and return file contents to clients. Constructing a server-side URI path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories.
-
What strategy do you use in your query to find the vulnerability?
This query detects unsafe usage of resource loading in Spring including the following APIs:
- ClassPathResource
- ResourceUtils
- ResourceLoader and ApplicationContext
- How have you reduced the number of false positives?
It utilizes the path sanitizer library to reduce FPs:
- Path traversal check
- Path encoding check
- Check of path normalization using the java.nio.file.Path package
- Other information?
Please refer to test cases in the sample program and CVE-2019-3799 - Spring-Cloud-Config-Server Directory Traversal < 2.1.2, 2.0.4, 1.4.6 for more information.
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
Blog post link
No response
Query PR
github/codeql#9199
Language
Java
CVE(s) ID list
CWE
CWE-552: Files or Directories Accessible to External Parties
Report
What is the vulnerability?
Directly incorporating user input into loading resource calls on the server side without proper validation of the input can allow any web application resource such as configuration files and source code to be disclosed.
How does the vulnerability work?
t is very common that Java Spring applications load requested resources and return file contents to clients. Constructing a server-side URI path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories.
What strategy do you use in your query to find the vulnerability?
This query detects unsafe usage of resource loading in Spring including the following APIs:
It utilizes the path sanitizer library to reduce FPs:
Please refer to test cases in the sample program and CVE-2019-3799 - Spring-Cloud-Config-Server Directory Traversal < 2.1.2, 2.0.4, 1.4.6 for more information.
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
Blog post link
No response