RequestDispatcher File Disclosure
Description
The `HttpRequest.getRequestDispatcher()`'s `include` and `forward` methods will return any file that is resolvable within the web application context. This includes the `web.xml` file, any compiled classes, `jsp` files, and additional JAR or WAR libraries that are accessible. Never pass user-supplied input directly to any of these methods.
Examples
Insecure Code
java
REQ.getRequestDispatcher(userInput).forward(request, response);Secure Code
java
HashMap<String, String> lookupTable = new HashMap<>(); lookupTable.put("key1", "/Resource1"); String redirectValue = lookupTable.getOrDefault(userInput, "/Resource1"); response.sendRedirect(redirectValue);Remediation
Use a lookup table or hardcode which views or paths the user should be directed to. Another option is to use a simple HTTP redirect by returning an empty response body with a 301 status code and a `Location` redirect header. In Java servlets, this can be done by using the `response.sendRedirect(...)` method.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0707 |
| Category | AccessControl |
| Severity | HIGH |
| CWE | CWE-552 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | RequestDispatcher, File Disclosure |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |