URL forward from a remote source¶
ID: java/unvalidated-url-forwardKind: path-problemSecurity severity: 7.5Severity: errorPrecision: highTags: - security - external/cwe/cwe-552Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
Directly incorporating user input into a URL forward request without validating the input can cause file information disclosure by allowing an attacker to access unauthorized URLs.
Recommendation¶
To guard against untrusted URL forwarding, you should avoid putting user input directly into a forwarded URL. Instead, you should maintain a list of authorized URLs on the server, then choose from that list based on the user input provided.
Example¶
The following example shows an HTTP request parameter being used directly in a URL forward without validating the input, which may cause file information disclosure. It also shows how to remedy the problem by validating the user input against a known fixed string.
publicclassUrlForwardextendsHttpServlet{privatestaticfinalStringVALID_FORWARD="https://cwe.mitre.org/data/definitions/552.html";protectedvoiddoGet(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{ServletConfigcfg=getServletConfig();ServletContextsc=cfg.getServletContext();// BAD: a request parameter is incorporated without validation into a URL forwardsc.getRequestDispatcher(request.getParameter("target")).forward(request,response);// GOOD: the request parameter is validated against a known fixed stringif(VALID_FORWARD.equals(request.getParameter("target"))){sc.getRequestDispatcher(VALID_FORWARD).forward(request,response);}}}
References¶
Common Weakness Enumeration:CWE-552.