Potential File Disclosure via User-Supplied Input
Description
The `org.springframework.web.servlet.ModelAndView` class may potentially allow access to restricted files if called with user-supplied input. This could be abused to attempt to return a JSP view that the user should not have access to.
Examples
Insecure Code
java
new org.springframework.web.servlet.ModelAndView(userInput);Secure Code
java
String viewValue = lookupTable.getOrDefault(userInput, "Resource1"); return new ModelAndView(viewValue);Remediation
Use a lookup table or hardcode which views or paths the user should be directed to.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0708 |
| Category | AccessControl |
| Severity | HIGH |
| CWE | CWE-552 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | file disclosure, access control |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |