Skip to content

Java: Add check for J2EE server directory listing #3595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jun 24, 2020
Merged

Java: Add check for J2EE server directory listing #3595

merged 4 commits into from
Jun 24, 2020

Conversation

luchua-bc
Copy link
Contributor

Enabling directory listing in J2EE application servers introduces the vulnerability of filename and path disclosure, which could allow an attacker to read arbitrary files in the server web directory. This includes application source code and data, as well as credentials for back-end systems.

Directory listing can be enabled via web.xml configuration of J2EE application servers:

    <servlet>
        <servlet-name>default</servlet-name>
        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
        <init-param>
            <param-name>listings</param-name>
            <param-value>true</param-value>
        </init-param>
    </servlet>

This PR adds a CodeQL query to find all insecure web.xml with the listing property set to true.

@luchua-bc luchua-bc requested a review from a team as a code owner May 30, 2020 11:09
@luchua-bc luchua-bc mentioned this pull request May 30, 2020
Closed
1 task
@luchua-bc luchua-bc changed the title Add check for J2EE server directory listing Java: Add check for J2EE server directory listing May 30, 2020
@luchua-bc
Copy link
Contributor Author

luchua-bc commented Jun 23, 2020
edited
Loading

Hi @aschackmull,

Somehow the check of "Code scanning - action / CodeQL-Build (pull_request)" still failed. The error message seems to indicate CodeQL tried to validate the query as C-Sharp code:

2020-06-23T14:35:00.5496700Z Languages from configuration: ["csharp"]
2020-06-23T14:35:00.8028829Z ##[error]The configuration file "/home/runner/work/codeql/codeql/.github/codeql/codeql-config.yml" does not exist
2020-06-23T14:35:00.9796202Z Post job cleanup.

I doubt this error is related to the previously missing ending newline character. How can this issue be fixed? Please advise.

Thanks,
@luchua-bc

aschackmull
aschackmull approved these changes Jun 24, 2020
View reviewed changes
Copy link
Contributor

@aschackmull aschackmull left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CodeQL scanning action is a fairly new addition and the failure is unrelated to this PR, so we can disregard it.

@luchua-bc
Copy link
Contributor Author

Thanks @aschackmull a lot for all your help with this PR.

@luchua-bc

@aschackmull aschackmull merged commit 791f31f into github:master Jun 24, 2020
@luchua-bc luchua-bc deleted the j2ee-server-directory-listing branch June 25, 2020 01:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aschackmull aschackmull aschackmull approved these changes

Assignees
No one assigned
Labels
Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@luchua-bc @aschackmull