Title: Java: CWE-552 Query to detect unsafe resource loading in Java Spring applications by luchua-bc · Pull Request #9199 · github/codeql · GitHub
Open Graph Title: Java: CWE-552 Query to detect unsafe resource loading in Java Spring applications by luchua-bc · Pull Request #9199 · github/codeql
X Title: Java: CWE-552 Query to detect unsafe resource loading in Java Spring applications by luchua-bc · Pull Request #9199 · github/codeql
Description: Directly incorporating user input into loading resource calls on the server side without proper validation of the input can allow any web application resource such as configuration files and source code to be disclosed. It is very common that Java Spring applications load requested resources and return file contents to clients. Constructing a server-side URI path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories. This query detects unsafe usage of resource loading in Spring including the following APIs: ClassPathResource ResourceUtils ResourceLoader and ApplicationContext It utilizes the path sanitizer library to reduce FPs: Path traversal check Path encoding check Check of path normalization using the java.nio.file.Path package Please consider to merge the PR. Thanks.
Open Graph Description: Directly incorporating user input into loading resource calls on the server side without proper validation of the input can allow any web application resource such as configuration files and source...
X Description: Directly incorporating user input into loading resource calls on the server side without proper validation of the input can allow any web application resource such as configuration files and source...
Opengraph URL: https://github.com/github/codeql/pull/9199
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:8b7fca0d-6fbe-4b2f-b77c-d885f67b0021 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | D978:42BF6:6F407F:955775:6A4D37E0 |
| html-safe-nonce | 633a4a29390714dc403f25886d89d6928cffefb2eaf52d1f7c9b52b089e2e921 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJEOTc4OjQyQkY2OjZGNDA3Rjo5NTU3NzU6NkE0RDM3RTAiLCJ2aXNpdG9yX2lkIjoiMzMxNDQ5MDU3MjY1MTk2ODQ4MSIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | b64e41ea98375e8d27e83d914c34f78bc9e6948944ed6384498f95e0eb64d13a |
| hovercard-subject-tag | pull_request:938982069 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/github/codeql/pull/9199/files |
| twitter:image | https://avatars.githubusercontent.com/u/37377780?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/37377780?s=400&v=4 |
| og:image:alt | Directly incorporating user input into loading resource calls on the server side without proper validation of the input can allow any web application resource such as configuration files and source... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 92571a8944142227b7e19cd10918b1ddd06e5066c1ad5bc7e4769cf6140a87e6 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/github/codeql git https://github.com/github/codeql.git |
| octolytics-dimension-user_id | 9919 |
| octolytics-dimension-user_login | github |
| octolytics-dimension-repository_id | 143040428 |
| octolytics-dimension-repository_nwo | github/codeql |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 143040428 |
| octolytics-dimension-repository_network_root_nwo | github/codeql |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 56fc8347865a14e2ec811533d68f929cf4e0ec19 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width