Files or Directories Accessible to External Parties

ID

scala.inject.scala_inject_rule_filedisclosure

Severity

high

Resource

Inject

Language

Scala

Description

Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories.

Rationale

Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories.

The following code illustrates a vulnerable pattern detected by this rule:

class FileDisclosure extends HttpServlet {
  @throws[IOException]
  override def doGet(request: HttpServletRequest, response: HttpServletResponse): Unit = {
    try {
      val returnURL = request.getParameter("returnURL")
      /** ****Struts ActionForward vulnerable code tests***** */
      // VULNERABLE: Files or Directories Accessible to External Parties
      val forward = new ActionForward(returnURL) //BAD
      // VULNERABLE: Files or Directories Accessible to External Parties
      val forward2 = new ActionForward(returnURL, true)
      // VULNERABLE: Files or Directories Accessible to External Parties
      val forward3 = new ActionForward("name", returnURL, true)
      // VULNERABLE: Files or Directories Accessible to External Parties
      val forward4 = new ActionForward("name", returnURL, true)
      val forward5 = new ActionForward
      // VULNERABLE: Files or Directories Accessible to External Parties
      forward5.setPath(returnURL) //BAD

      //false positive test - returnURL moved from path to name (safe argument)
      val forward6 = new ActionForward(returnURL, "path", true) //OK
      /** ****Spring ModelAndView vulnerable code tests***** */
      // VULNERABLE: Files or Directories Accessible to External Parties
      val mv = new ModelAndView(returnURL)
      val mv4 = new ModelAndView
      // VULNERABLE: Files or Directories Accessible to External Parties
      mv4.setViewName(returnURL)
      //false positive test - returnURL moved from viewName to modelName (safe argument)
    } catch {
      case e: Exception =>
        System.out.println(e)
    }

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References