Title: [Java]: CWE-552 Add sources and sinks to detect unsafe getResource calls in Java EE applications · Issue #665 · github/securitylab · GitHub
Open Graph Title: [Java]: CWE-552 Add sources and sinks to detect unsafe getResource calls in Java EE applications · Issue #665 · github/securitylab
X Title: [Java]: CWE-552 Add sources and sinks to detect unsafe getResource calls in Java EE applications · Issue #665 · github/securitylab
Description: Query PR github/codeql#8706 Language Java CVE(s) ID list CVE-2018-1047 - Path traversal vulnerability with Wildfly 9.x through ServletResourceManager.getResource CVE-2015-5174 - Apache Tomcat 6.0/7.0/8.0/9.0 Servletcontext Getresource/ge...
Open Graph Description: Query PR github/codeql#8706 Language Java CVE(s) ID list CVE-2018-1047 - Path traversal vulnerability with Wildfly 9.x through ServletResourceManager.getResource CVE-2015-5174 - Apache Tomcat 6.0/7...
X Description: Query PR github/codeql#8706 Language Java CVE(s) ID list CVE-2018-1047 - Path traversal vulnerability with Wildfly 9.x through ServletResourceManager.getResource CVE-2015-5174 - Apache Tomcat 6.0/7...
Opengraph URL: https://github.com/github/securitylab/issues/665
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[Java]: CWE-552 Add sources and sinks to detect unsafe getResource calls in Java EE applications","articleBody":"### Query PR\n\nhttps://github.com/github/codeql/pull/8706\n\n### Language\n\nJava\n\n### CVE(s) ID list\n\n- [CVE-2018-1047 - Path traversal vulnerability with Wildfly 9.x through ServletResourceManager.getResource](https://nvd.nist.gov/vuln/detail/CVE-2018-1047)\r\n- [CVE-2015-5174 - Apache Tomcat 6.0/7.0/8.0/9.0 Servletcontext Getresource/getresourceasstream/getresourcepaths Path Traversal](https://vuldb.com/?source_cve.81084)\n\n### CWE\n\nCWE-552: Files or Directories Accessible to External Parties\n\n### Report\n\n1. What is the vulnerability?\r\nDirectly incorporating user input into the getResource call on the server side without proper validation of the input can allow any web application resource such as configuration files and source code to be disclosed.\r\n\r\n2. How does the vulnerability work?\r\nIt is very common that Java EE applications load requested resources and return file contents to clients. Constructing a server-side URI path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories.\r\n\r\n3. What strategy do you use in your query to find the vulnerability?\r\nThis query detects unsafe usage of `getResource` or `getResourceAsStream` from both servlet context and Java Server Faces context, which covers all typical Java EE applications.\r\n\r\n4. How have you reduced the number of **false positives**?\r\nIt utilizes the path sanitizer library to reduce FPs:\r\n- Path traversal check\r\n- Path encoding check\r\n- Check of path normalization using the java.nio.file.Path package\r\n\r\n5. Other information?\r\nPlease refer to test cases and the sample program for more information.\r\n\n\n### Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).\n\n- [X] Yes\n- [ ] No\n\n### Blog post link\n\n_No response_","author":{"url":"https://github.com/luchua-bc","@type":"Person","name":"luchua-bc"},"datePublished":"2022-04-09T01:42:40.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":26},"url":"https://github.com/665/securitylab/issues/665"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:adc13a20-20bc-ba92-2a74-d1619000fa17 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | D84A:68043:48997E:65FC6B:6A4D1DB2 |
| html-safe-nonce | ab39ef2df7e1134438999924fca9422b1cff9cb1a7817ffefd3f98dfee06f5ab |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJEODRBOjY4MDQzOjQ4OTk3RTo2NUZDNkI6NkE0RDFEQjIiLCJ2aXNpdG9yX2lkIjoiNjIxMzY1ODcxMjIzNTM4NDI0MiIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | c4c84b0e8c7141f1f62457b86baa5e39efad86df4b13a7a6f00d648675c7bc93 |
| hovercard-subject-tag | issue:1198008382 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/github/securitylab/665/issue_layout |
| twitter:image | https://opengraph.githubassets.com/7b88676bec399923efcf5a2d9445207312101229324f2c46c1e0ba1167c594d6/github/securitylab/issues/665 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/7b88676bec399923efcf5a2d9445207312101229324f2c46c1e0ba1167c594d6/github/securitylab/issues/665 |
| og:image:alt | Query PR github/codeql#8706 Language Java CVE(s) ID list CVE-2018-1047 - Path traversal vulnerability with Wildfly 9.x through ServletResourceManager.getResource CVE-2015-5174 - Apache Tomcat 6.0/7... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | luchua-bc |
| hostname | github.com |
| expected-hostname | github.com |
| None | 92571a8944142227b7e19cd10918b1ddd06e5066c1ad5bc7e4769cf6140a87e6 |
| turbo-cache-control | no-preview |
| go-import | github.com/github/securitylab git https://github.com/github/securitylab.git |
| octolytics-dimension-user_id | 9919 |
| octolytics-dimension-user_login | github |
| octolytics-dimension-repository_id | 221101274 |
| octolytics-dimension-repository_nwo | github/securitylab |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 221101274 |
| octolytics-dimension-repository_network_root_nwo | github/securitylab |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 93f17a978ee60bc4668e1d7b90e6bd2d622261fd |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width